fortinet.fortios.fortios_voip_profile – Configure VoIP profiles in Fortinet’s FortiOS and FortiGate.
Note
This plugin is part of the fortinet.fortios collection (version 2.1.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install fortinet.fortios
.
To use it in a playbook, specify: fortinet.fortios.fortios_voip_profile
.
New in version 2.10: of fortinet.fortios
Synopsis
This module is able to configure a FortiGate or FortiOS (FOS) device by allowing the user to set and modify voip feature and profile category. Examples include all parameters and values need to be adjusted to datasources before usage. Tested with FOS v6.0.0
Requirements
The below requirements are needed on the host that executes this module.
ansible>=2.9.0
Parameters
Parameter |
Comments |
---|---|
Token-based authentication. Generated from GUI of Fortigate. |
|
Enable/Disable logging for task. Choices:
|
|
Member attribute path to operate on. Delimited by a slash character if there are more than one attribute. Parameter marked with member_path is legitimate for doing member operation. |
|
Add or delete a member under specified attribute path. When member_state is specified, the state option is ignored. Choices:
|
|
Indicates whether to create or remove the object. Choices:
|
|
Virtual domain, among those defined previously. A vdom is a virtual instance of the FortiGate that can be configured and used as a different unit. Default: “root” |
|
Configure VoIP profiles. |
|
Comment. |
|
Flow or proxy inspection feature set. Choices:
|
|
Profile name. |
|
SCCP. |
|
Enable/disable block multicast RTP connections. Choices:
|
|
Enable/disable log summary of SCCP calls. Choices:
|
|
Enable/disable logging of SCCP violations. Choices:
|
|
Maximum calls per minute per SCCP client (max 65535). |
|
Enable/disable SCCP. Choices:
|
|
Enable/disable verify SCCP header content. Choices:
|
|
SIP. |
|
ACK request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Enable/disable block ACK requests. Choices:
|
|
Enable/disable block BYE requests. Choices:
|
|
Enable/disable block CANCEL requests. Choices:
|
|
Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy. Choices:
|
|
Enable/disable block INFO requests. Choices:
|
|
Enable/disable block INVITE requests. Choices:
|
|
Enable/disable block requests with headers exceeding max-line-length. Choices:
|
|
Enable/disable block MESSAGE requests. Choices:
|
|
Enable/disable block NOTIFY requests. Choices:
|
|
Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either. Choices:
|
|
Enable/disable block prack requests. Choices:
|
|
Enable/disable block PUBLISH requests. Choices:
|
|
Enable/disable block REFER requests. Choices:
|
|
Enable/disable block REGISTER requests. Choices:
|
|
Enable/disable block SUBSCRIBE requests. Choices:
|
|
Block unrecognized SIP requests (enabled by default). Choices:
|
|
Enable/disable block UPDATE requests. Choices:
|
|
BYE request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Continue tracking calls with no RTP for this many minutes. |
|
CANCEL request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Fixup contact anyway even if contact”s IP:port doesn”t match session”s IP:port. Choices:
|
|
Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled. Choices:
|
|
Hosted NAT Traversal (HNT). Choices:
|
|
INFO request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
INVITE request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Enable/disable allow IPS on RTP. Choices:
|
|
Enable/disable logging of SIP call summary. Choices:
|
|
Enable/disable logging of SIP violations. Choices:
|
|
Action for malformed Allow header. Choices:
|
|
Action for malformed Call-ID header. Choices:
|
|
Action for malformed Contact header. Choices:
|
|
Action for malformed Content-Length header. Choices:
|
|
Action for malformed Content-Type header. Choices:
|
|
Action for malformed CSeq header. Choices:
|
|
Action for malformed Expires header. Choices:
|
|
Action for malformed From header. Choices:
|
|
Action for malformed Max-Forwards header. Choices:
|
|
Action for malformed SIP messages without Proxy-Require header. Choices:
|
|
Action for malformed SIP messages without Require header. Choices:
|
|
Action for malformed P-Asserted-Identity header. Choices:
|
|
Action for malformed RAck header. Choices:
|
|
Action for malformed Record-Route header. Choices:
|
|
Action for malformed Route header. Choices:
|
|
Action for malformed RSeq header. Choices:
|
|
Action for malformed SDP a line. Choices:
|
|
Action for malformed SDP b line. Choices:
|
|
Action for malformed SDP c line. Choices:
|
|
Action for malformed SDP i line. Choices:
|
|
Action for malformed SDP k line. Choices:
|
|
Action for malformed SDP m line. Choices:
|
|
Action for malformed SDP o line. Choices:
|
|
Action for malformed SDP r line. Choices:
|
|
Action for malformed SDP s line. Choices:
|
|
Action for malformed SDP t line. Choices:
|
|
Action for malformed SDP v line. Choices:
|
|
Action for malformed SDP z line. Choices:
|
|
Action for malformed To header. Choices:
|
|
Action for malformed VIA header. Choices:
|
|
Action for malformed request line. Choices:
|
|
Maximum SIP message body length (0 meaning no limit). |
|
Maximum number of concurrent calls/dialogs (per policy). |
|
Maximum number established but idle dialogs to retain (per policy). |
|
Maximum SIP header line length (78-4096). |
|
MESSAGE request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
RTP NAT port range. |
|
Enable/disable preservation of original IP in SDP i line. Choices:
|
|
Enable/disable no SDP fix-up. Choices:
|
|
NOTIFY request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Enable/disable open pinhole for non-REGISTER Contact port. Choices:
|
|
Enable/disable open pinhole for Record-Route port. Choices:
|
|
Enable/disable open pinhole for REGISTER Contact port. Choices:
|
|
Enable/disable open pinhole for Via port. Choices:
|
|
OPTIONS request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
PRACK request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Override i line to preserve original IPS . Choices:
|
|
Expiry time for provisional INVITE (10 - 3600 sec). |
|
PUBLISH request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
REFER request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Enable/disable trace original IP/port within the contact header of REGISTER requests. Choices:
|
|
REGISTER request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Enable/disable support via branch compliant with RFC 2543. Choices:
|
|
Enable/disable create pinholes for RTP traffic to traverse firewall. Choices:
|
|
Relative strength of encryption algorithms accepted in negotiation. Choices:
|
|
Require a client certificate and authenticate it with the peer/peergrp. Source user.peer.name user.peergrp.name. |
|
Authenticate the server”s certificate with the peer/peergrp. Source user.peer.name user.peergrp.name. |
|
Name of Certificate to offer to server if requested. Source vpn.certificate.local.name. |
|
Allow/block client renegotiation by server. Choices:
|
|
Highest SSL/TLS version to negotiate. Choices:
|
|
Lowest SSL/TLS version to negotiate. Choices:
|
|
SSL/TLS mode for encryption & decryption of traffic. Choices:
|
|
SSL Perfect Forward Secrecy. Choices:
|
|
Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only). Choices:
|
|
Name of Certificate return to the client in every SSL connection. Source vpn.certificate.local.name. |
|
Enable/disable SIP. Choices:
|
|
Enable/disable only allow the registrar to connect. Choices:
|
|
SUBSCRIBE request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
|
Action for unknown SIP header. Choices:
|
|
UPDATE request rate limit (per second, per policy). |
|
Track the packet protocol field. Choices:
|
Examples
- collections:
- fortinet.fortios
connection: httpapi
hosts: fortigate01
vars:
ansible_httpapi_port: 443
ansible_httpapi_use_ssl: true
ansible_httpapi_validate_certs: false
vdom: root
tasks:
- name: fortios_voip_profile
fortios_voip_profile:
vdom: root
state: present
voip_profile:
comment: test
name: '1'
sccp:
- block_mcast: disable
log_call_summary: disable
log_violations: disable
max_calls: 0
status: enable
verify_header: disable
sip:
- ack_rate: 0
block_ack: disable
block_bye: disable
block_cancel: disable
block_geo_red_options: disable
block_info: disable
block_invite: disable
block_long_lines: enable
block_message: disable
block_notify: disable
block_options: disable
block_prack: disable
block_publish: disable
block_refer: disable
block_register: disable
block_subscribe: disable
block_unknown: enable
block_update: disable
bye_rate: 0
call_keepalive: 0
cancel_rate: 0
contact_fixup: enable
hnt_restrict_source_ip: disable
hosted_nat_traversal: disable
info_rate: 0
invite_rate: 0
ips_rtp: enable
log_call_summary: enable
log_violations: disable
malformed_header_allow: pass
malformed_header_call_id: pass
malformed_header_contact: pass
malformed_header_content_length: pass
malformed_header_content_type: pass
malformed_header_cseq: pass
malformed_header_expires: pass
malformed_header_from: pass
malformed_header_max_forwards: pass
malformed_header_p_asserted_identity: pass
malformed_header_rack: pass
malformed_header_record_route: pass
malformed_header_route: pass
malformed_header_rseq: pass
malformed_header_sdp_a: pass
malformed_header_sdp_b: pass
malformed_header_sdp_c: pass
malformed_header_sdp_i: pass
malformed_header_sdp_k: pass
malformed_header_sdp_m: pass
malformed_header_sdp_o: pass
malformed_header_sdp_r: pass
malformed_header_sdp_s: pass
malformed_header_sdp_t: pass
malformed_header_sdp_v: pass
malformed_header_sdp_z: pass
malformed_header_to: pass
malformed_header_via: pass
malformed_request_line: pass
max_body_length: 0
max_dialogs: 0
max_idle_dialogs: 0
max_line_length: 998
message_rate: 0
nat_port_range: 5117-65533
nat_trace: enable
no_sdp_fixup: disable
notify_rate: 0
open_contact_pinhole: enable
open_record_route_pinhole: enable
open_register_pinhole: enable
open_via_pinhole: disable
options_rate: 0
prack_rate: 0
preserve_override: disable
provisional_invite_expiry_time: 210
publish_rate: 0
refer_rate: 0
register_contact_trace: disable
register_rate: 0
rfc2543_branch: disable
rtp: enable
ssl_algorithm: high
ssl_client_renegotiation: allow
ssl_max_version: tls-1.3
ssl_min_version: tls-1.1
ssl_mode: 'off'
ssl_pfs: allow
ssl_send_empty_frags: enable
status: enable
strict_register: enable
subscribe_rate: 0
unknown_header: pass
update_rate: 0
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
Build number of the fortigate image Returned: always Sample: “1547” |
|
Last method used to provision the content into FortiGate Returned: always Sample: “PUT” |
|
Last result given by FortiGate on last operation applied Returned: always Sample: “200” |
|
Master key (id) used in the last call to FortiGate Returned: success Sample: “id” |
|
Name of the table used to fulfill the request Returned: always Sample: “urlfilter” |
|
Path of the table used to fulfill the request Returned: always Sample: “webfilter” |
|
Internal revision number Returned: always Sample: “17.0.2.10658” |
|
Serial number of the unit Returned: always Sample: “FGVMEVYYQT3AB5352” |
|
Indication of the operation’s result Returned: always Sample: “success” |
|
Virtual domain used Returned: always Sample: “root” |
|
Version of the FortiGate Returned: always Sample: “v5.6.3” |
Authors
Link Zheng (@chillancezen)
Jie Xue (@JieX19)
Hongbin Lu (@fgtdev-hblu)
Frank Shen (@frankshen01)
Miguel Angel Munoz (@mamunozgonzalez)
Nicolas Thomas (@thomnico)