fortinet.fortios.fortios_firewall_gtp – Configure GTP in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_firewall_gtp
.
New in version 2.10: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify firewall feature and gtp category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Configure GTP. |
|
overbilling notify address |
|
APN. |
|
Action. Choices:
|
|
APN member. |
|
APN name. Source gtp.apn.name gtp.apngrp.name. |
|
ID. |
|
APN selection mode. Choices:
|
|
apn filter Choices:
|
|
Authorized GGSN group Source firewall.address.name firewall.addrgrp.name. |
|
Authorized GGSN/PGW IPv6 group. Source firewall.address6.name firewall.addrgrp6.name. |
|
Authorized SGSN group Source firewall.address.name firewall.addrgrp.name. |
|
Authorized SGSN/SGW IPv6 group. Source firewall.address6.name firewall.addrgrp6.name. |
|
Comment. |
|
Overbilling context. |
|
control plane message rate limit |
|
default apn action Choices:
|
|
default imsi action Choices:
|
|
default action for encapsulated IP traffic Choices:
|
|
default action for encapsulated non-IP traffic Choices:
|
|
default advanced policy action Choices:
|
|
log denied Choices:
|
|
echo request interval (in seconds) |
|
log in extension format Choices:
|
|
log forwarded Choices:
|
|
Global tunnel limit. Source gtp.tunnel-limit.name. |
|
gtp in gtp Choices:
|
|
Enable/disable logging of denied GTP-U packets. Choices:
|
|
Enable/disable logging of forwarded GTP-U packets. Choices:
|
|
Logging of frequency of GTP-U packets. |
|
Half-close tunnel timeout (in seconds). |
|
Half-open tunnel timeout (in seconds). |
|
Handover SGSN group Source firewall.address.name firewall.addrgrp.name. |
|
Handover SGSN/SGW IPv6 group. Source firewall.address6.name firewall.addrgrp6.name. |
|
IE allow list. Source gtp.ie-allow-list.name. |
|
IE allow list. Source gtp.ie-allow-list.name. |
|
IE remove policy. |
|
ID. |
|
GTP IEs to be removed. Choices:
|
|
SGSN address name. Source firewall.address.name firewall.addrgrp.name. |
|
SGSN IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
IE removal policy. Choices:
|
|
IE validation. |
|
Validate APN restriction. Choices:
|
|
Validate charging gateway address. Choices:
|
|
Validate charging ID. Choices:
|
|
Validate end user address. Choices:
|
|
Validate GSN address. Choices:
|
|
Validate IMEI(SV). Choices:
|
|
Validate IMSI. Choices:
|
|
Validate MM context. Choices:
|
|
Validate MS time zone. Choices:
|
|
Validate MS validated. Choices:
|
|
Validate MSISDN. Choices:
|
|
Validate NSAPI. Choices:
|
|
Validate PDP context. Choices:
|
|
Validate Quality of Service(QoS) profile. Choices:
|
|
Validate RAI. Choices:
|
|
Validate RAT type. Choices:
|
|
Validate re-ordering required. Choices:
|
|
Validate selection mode. Choices:
|
|
Validate user location information. Choices:
|
|
IE white list. Source gtp.ie-white-list.name. |
|
IE white list. Source gtp.ie-white-list.name. |
|
IMSI. |
|
Action. Choices:
|
|
APN member. |
|
APN name. Source gtp.apn.name gtp.apngrp.name. |
|
ID. |
|
MCC MNC. |
|
MSISDN prefix. |
|
APN selection mode. Choices:
|
|
imsi filter Choices:
|
|
overbilling interface Source system.interface.name. |
|
Invalid reserved field in GTP header Choices:
|
|
Invalid SGSN IPv6 group to be logged. Source firewall.address6.name firewall.addrgrp6.name. |
|
Invalid SGSN group to be logged Source firewall.address.name firewall.addrgrp.name. |
|
IP filter for encapsulted traffic Choices:
|
|
IP policy. |
|
Action. Choices:
|
|
Destination address name. Source firewall.address.name firewall.addrgrp.name. |
|
Destination IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
ID. |
|
Source address name. Source firewall.address.name firewall.addrgrp.name. |
|
Source IPv6 address name. Source firewall.address6.name firewall.addrgrp6.name. |
|
Logging of frequency of GTP-C packets. |
|
the user data log limit (0-512 bytes) |
|
IMSI prefix for selective logging. |
|
the msisdn prefix for selective logging |
|
max message length |
|
Message filter. Source gtp.message-filter-v0v1.name. |
|
Message filter. Source gtp.message-filter-v2.name. |
|
Message rate limiting. |
|
Rate limit for create AA PDP context request (packets per second). |
|
Rate limit for create AA PDP context response (packets per second). |
|
Rate limit for create MBMS context request (packets per second). |
|
Rate limit for create MBMS context response (packets per second). |
|
Rate limit for create PDP context request (packets per second). |
|
Rate limit for create PDP context response (packets per second). |
|
Rate limit for delete AA PDP context request (packets per second). |
|
Rate limit for delete AA PDP context response (packets per second). |
|
Rate limit for delete MBMS context request (packets per second). |
|
Rate limit for delete MBMS context response (packets per second). |
|
Rate limit for delete PDP context request (packets per second). |
|
Rate limit for delete PDP context response (packets per second). |
|
Rate limit for echo response (packets per second). |
|
Rate limit for echo requests (packets per second). |
|
Rate limit for error indication (packets per second). |
|
Rate limit for failure report request (packets per second). |
|
Rate limit for failure report response (packets per second). |
|
Rate limit for forward relocation complete acknowledge (packets per second). |
|
Rate limit for forward relocation complete (packets per second). |
|
Rate limit for forward relocation request (packets per second). |
|
Rate limit for forward relocation response (packets per second). |
|
Rate limit for forward SRNS context (packets per second). |
|
Rate limit for forward SRNS context acknowledge (packets per second). |
|
Rate limit for G-PDU (packets per second). |
|
Rate limit for identification request (packets per second). |
|
Rate limit for identification response (packets per second). |
|
Rate limit for MBMS de-registration request (packets per second). |
|
Rate limit for MBMS de-registration response (packets per second). |
|
Rate limit for MBMS notification reject request (packets per second). |
|
Rate limit for MBMS notification reject response (packets per second). |
|
Rate limit for MBMS notification request (packets per second). |
|
Rate limit for MBMS notification response (packets per second). |
|
Rate limit for MBMS registration request (packets per second). |
|
Rate limit for MBMS registration response (packets per second). |
|
Rate limit for MBMS session start request (packets per second). |
|
Rate limit for MBMS session start response (packets per second). |
|
Rate limit for MBMS session stop request (packets per second). |
|
Rate limit for MBMS session stop response (packets per second). |
|
Rate limit for note MS GPRS present request (packets per second). |
|
Rate limit for note MS GPRS present response (packets per second). |
|
Rate limit for PDU notify reject request (packets per second). |
|
Rate limit for PDU notify reject response (packets per second). |
|
Rate limit for PDU notify request (packets per second). |
|
Rate limit for PDU notify response (packets per second). |
|
Rate limit for RAN information relay (packets per second). |
|
Rate limit for relocation cancel request (packets per second). |
|
Rate limit for relocation cancel response (packets per second). |
|
Rate limit for send routing information for GPRS request (packets per second). |
|
Rate limit for send routing information for GPRS response (packets per second). |
|
Rate limit for SGSN context acknowledgement (packets per second). |
|
Rate limit for SGSN context request (packets per second). |
|
Rate limit for SGSN context response (packets per second). |
|
Rate limit for support extension headers notification (packets per second). |
|
Rate limit for update MBMS context request (packets per second). |
|
Rate limit for update MBMS context response (packets per second). |
|
Rate limit for update PDP context request (packets per second). |
|
Rate limit for update PDP context response (packets per second). |
|
Rate limit for version not supported (packets per second). |
|
Message rate limiting for GTP version 0. |
|
Rate limit (packets/s) for create PDP context request. |
|
Rate limit (packets/s) for delete PDP context request. |
|
Rate limit (packets/s) for echo request. |
|
Message rate limiting for GTP version 1. |
|
Rate limit (packets/s) for create PDP context request. |
|
Rate limit (packets/s) for delete PDP context request. |
|
Rate limit (packets/s) for echo request. |
|
Message rate limiting for GTP version 2. |
|
Rate limit (packets/s) for create session request. |
|
Rate limit (packets/s) for delete session request. |
|
Rate limit (packets/s) for echo request. |
|
min message length |
|
Missing mandatory information element Choices:
|
|
GTP monitor mode Choices:
|
|
Profile name. |
|
non-IP filter for encapsulted traffic Choices:
|
|
No IP policy. |
|
Action. Choices:
|
|
End of protocol range (0 - 255). |
|
ID. |
|
Start of protocol range (0 - 255). |
|
Protocol field type. Choices:
|
|
Out of state information element. Choices:
|
|
Out of state GTP message Choices:
|
|
Per APN shaper. |
|
APN name. Source gtp.apn.name. |
|
ID. |
|
Rate limit (packets/s) for create PDP context request. |
|
GTP version number: 0 or 1. |
|
Policy. |
|
Action. Choices:
|
|
APN selection mode. Choices:
|
|
APN member. |
|
APN name. Source gtp.apn.name gtp.apngrp.name. |
|
ID. |
|
IMEI(SV) pattern. |
|
IMSI prefix. |
|
IMSI prefix. |
|
Maximum APN restriction value. Choices:
|
|
GTP messages. Choices:
|
|
MSISDN prefix. |
|
MSISDN prefix. |
|
RAI pattern. |
|
RAT Type. Choices:
|
|
ULI pattern. |
|
Advanced policy filter Choices:
|
|
Apply allow or deny action to each GTPv2-c packet. |
|
Action. Choices:
|
|
APN selection mode. Choices:
|
|
APN member. |
|
APN name. Source gtp.apn.name gtp.apngrp.name. |
|
ID. |
|
IMSI prefix. |
|
Maximum APN restriction value. Choices:
|
|
MEI pattern. |
|
GTP messages. Choices:
|
|
MSISDN prefix. |
|
RAT Type. Choices:
|
|
GTPv2 ULI patterns (in order of CGI SAI RAI TAI ECGI LAI). |
|
overbilling notify port |
|
RAT timeout profile. Source gtp.rat-timeout-profile.name. |
|
GTP rate limit mode. Choices:
|
|
log rate limited Choices:
|
|
rate sampling interval (1-3600 seconds) |
|
remove if echo response expires Choices:
|
|
remove upon different Recovery IE Choices:
|
|
reserved information element Choices:
|
|
send DELETE request to path endpoints when GTPv0/v1 tunnel timeout. Choices:
|
|
send DELETE request to path endpoints when GTPv2 tunnel timeout. Choices:
|
|
Spoofed source address for Mobile Station. Choices:
|
|
log state invalid Choices:
|
|
Sub-second interval (0.1, 0.25, or 0.5 sec). Choices:
|
|
Enable/disable sub-second sampling. Choices:
|
|
log tunnel traffic counter Choices:
|
|
tunnel limit |
|
tunnel limit Choices:
|
|
Established tunnel timeout (in seconds). |
|
action for unknown gtp version Choices:
|
|
user plane message rate limit |
|
Warning threshold for rate limiting (0 - 99 percent). |
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
Examples
- hosts: fortigates
collections:
- fortinet.fortios
connection: httpapi
vars:
vdom: "root"
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443
tasks:
- name: Configure GTP.
fortios_firewall_gtp:
vdom: "{{ vdom }}"
state: "present"
access_token: "<your_own_value>"
firewall_gtp:
addr_notify: "<your_own_value>"
apn:
-
action: "allow"
apnmember:
-
name: "default_name_7 (source gtp.apn.name gtp.apngrp.name)"
id: "8"
selection_mode: "ms"
apn_filter: "enable"
authorized_ggsns: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
authorized_ggsns6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
authorized_sgsns: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
authorized_sgsns6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
comment: "Comment."
context_id: "16"
control_plane_message_rate_limit: "17"
default_apn_action: "allow"
default_imsi_action: "allow"
default_ip_action: "allow"
default_noip_action: "allow"
default_policy_action: "allow"
denied_log: "enable"
echo_request_interval: "24"
extension_log: "enable"
forwarded_log: "enable"
global_tunnel_limit: "<your_own_value> (source gtp.tunnel-limit.name)"
gtp_in_gtp: "allow"
gtpu_denied_log: "enable"
gtpu_forwarded_log: "enable"
gtpu_log_freq: "31"
half_close_timeout: "32"
half_open_timeout: "33"
handover_group: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
handover_group6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ie_allow_list_v0v1: "<your_own_value> (source gtp.ie-allow-list.name)"
ie_allow_list_v2: "<your_own_value> (source gtp.ie-allow-list.name)"
ie_remove_policy:
-
id: "39"
remove_ies: "apn-restriction"
sgsn_addr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
sgsn_addr6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ie_remover: "enable"
ie_validation:
apn_restriction: "enable"
charging_gateway_addr: "enable"
charging_ID: "enable"
end_user_addr: "enable"
gsn_addr: "enable"
imei: "enable"
imsi: "enable"
mm_context: "enable"
ms_tzone: "enable"
ms_validated: "enable"
msisdn: "enable"
nsapi: "enable"
pdp_context: "enable"
qos_profile: "enable"
rai: "enable"
rat_type: "enable"
reordering_required: "enable"
selection_mode: "enable"
uli: "enable"
ie_white_list_v0v1: "<your_own_value> (source gtp.ie-white-list.name)"
ie_white_list_v2: "<your_own_value> (source gtp.ie-white-list.name)"
imsi:
-
action: "allow"
apnmember:
-
name: "default_name_69 (source gtp.apn.name gtp.apngrp.name)"
id: "70"
mcc_mnc: "<your_own_value>"
msisdn_prefix: "<your_own_value>"
selection_mode: "ms"
imsi_filter: "enable"
interface_notify: "<your_own_value> (source system.interface.name)"
invalid_reserved_field: "allow"
invalid_sgsns_to_log: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
invalid_sgsns6_to_log: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
ip_filter: "enable"
ip_policy:
-
action: "allow"
dstaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
dstaddr6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
id: "84"
srcaddr: "<your_own_value> (source firewall.address.name firewall.addrgrp.name)"
srcaddr6: "<your_own_value> (source firewall.address6.name firewall.addrgrp6.name)"
log_freq: "87"
log_gtpu_limit: "88"
log_imsi_prefix: "<your_own_value>"
log_msisdn_prefix: "<your_own_value>"
max_message_length: "91"
message_filter_v0v1: "<your_own_value> (source gtp.message-filter-v0v1.name)"
message_filter_v2: "<your_own_value> (source gtp.message-filter-v2.name)"
message_rate_limit:
create_aa_pdp_request: "95"
create_aa_pdp_response: "96"
create_mbms_request: "97"
create_mbms_response: "98"
create_pdp_request: "99"
create_pdp_response: "100"
delete_aa_pdp_request: "101"
delete_aa_pdp_response: "102"
delete_mbms_request: "103"
delete_mbms_response: "104"
delete_pdp_request: "105"
delete_pdp_response: "106"
echo_reponse: "107"
echo_request: "108"
error_indication: "109"
failure_report_request: "110"
failure_report_response: "111"
fwd_reloc_complete_ack: "112"
fwd_relocation_complete: "113"
fwd_relocation_request: "114"
fwd_relocation_response: "115"
fwd_srns_context: "116"
fwd_srns_context_ack: "117"
g_pdu: "118"
identification_request: "119"
identification_response: "120"
mbms_de_reg_request: "121"
mbms_de_reg_response: "122"
mbms_notify_rej_request: "123"
mbms_notify_rej_response: "124"
mbms_notify_request: "125"
mbms_notify_response: "126"
mbms_reg_request: "127"
mbms_reg_response: "128"
mbms_ses_start_request: "129"
mbms_ses_start_response: "130"
mbms_ses_stop_request: "131"
mbms_ses_stop_response: "132"
note_ms_request: "133"
note_ms_response: "134"
pdu_notify_rej_request: "135"
pdu_notify_rej_response: "136"
pdu_notify_request: "137"
pdu_notify_response: "138"
ran_info: "139"
relocation_cancel_request: "140"
relocation_cancel_response: "141"
send_route_request: "142"
send_route_response: "143"
sgsn_context_ack: "144"
sgsn_context_request: "145"
sgsn_context_response: "146"
support_ext_hdr_notify: "147"
update_mbms_request: "148"
update_mbms_response: "149"
update_pdp_request: "150"
update_pdp_response: "151"
version_not_support: "152"
message_rate_limit_v0:
create_pdp_request: "154"
delete_pdp_request: "155"
echo_request: "156"
message_rate_limit_v1:
create_pdp_request: "158"
delete_pdp_request: "159"
echo_request: "160"
message_rate_limit_v2:
create_session_request: "162"
delete_session_request: "163"
echo_request: "164"
min_message_length: "165"
miss_must_ie: "allow"
monitor_mode: "enable"
name: "default_name_168"
noip_filter: "enable"
noip_policy:
-
action: "allow"
end: "172"
id: "173"
start: "174"
type: "etsi"
out_of_state_ie: "allow"
out_of_state_message: "allow"
per_apn_shaper:
-
apn: "<your_own_value> (source gtp.apn.name)"
id: "180"
rate_limit: "181"
version: "182"
policy:
-
action: "allow"
apn_sel_mode: "ms"
apnmember:
-
name: "default_name_187 (source gtp.apn.name gtp.apngrp.name)"
id: "188"
imei: "<your_own_value>"
imsi: "<your_own_value>"
imsi_prefix: "<your_own_value>"
max_apn_restriction: "all"
messages: "create-req"
msisdn: "<your_own_value>"
msisdn_prefix: "<your_own_value>"
rai: "<your_own_value>"
rat_type: "any"
uli: "<your_own_value>"
policy_filter: "enable"
policy_v2:
-
action: "allow"
apn_sel_mode: "ms"
apnmember:
-
name: "default_name_204 (source gtp.apn.name gtp.apngrp.name)"
id: "205"
imsi_prefix: "<your_own_value>"
max_apn_restriction: "all"
mei: "<your_own_value>"
messages: "create-ses-req"
msisdn_prefix: "<your_own_value>"
rat_type: "any"
uli: "<your_own_value>"
port_notify: "213"
rat_timeout_profile: "<your_own_value> (source gtp.rat-timeout-profile.name)"
rate_limit_mode: "per-profile"
rate_limited_log: "enable"
rate_sampling_interval: "217"
remove_if_echo_expires: "enable"
remove_if_recovery_differ: "enable"
reserved_ie: "allow"
send_delete_when_timeout: "enable"
send_delete_when_timeout_v2: "enable"
spoof_src_addr: "allow"
state_invalid_log: "enable"
sub_second_interval: "0.5"
sub_second_sampling: "enable"
traffic_count_log: "enable"
tunnel_limit: "228"
tunnel_limit_log: "enable"
tunnel_timeout: "230"
unknown_version_action: "allow"
user_plane_message_rate_limit: "232"
warning_threshold: "233"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)