fortinet.fortimanager.fmgr_firewall_gtp module – Configure GTP.

Note

This module is part of the fortinet.fortimanager collection (version 2.1.5).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_firewall_gtp.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter

Comments

adom

string / required

the parameter (adom) in requested url

bypass_validation

boolean

only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters

Choices:

  • no ← (default)

  • yes

enable_log

boolean

Enable/Disable logging for task

Choices:

  • no ← (default)

  • yes

firewall_gtp

dictionary

the top level parameters set

addr-notify

string

overbilling notify address

apn

list / elements=string

Apn.

action

string

Action.

Choices:

  • allow

  • deny

apnmember

string

APN member.

id

integer

ID.

selection-mode

list / elements=string

APN selection mode.

Choices:

  • ms

  • net

  • vrf

apn-filter

string

apn filter

Choices:

  • disable

  • enable

authorized-ggsns

string

Authorized GGSN group

authorized-ggsns6

string

Authorized GGSN/PGW IPv6 group.

authorized-sgsns

string

Authorized SGSN group

authorized-sgsns6

string

Authorized SGSN/SGW IPv6 group.

comment

string

Comment.

context-id

integer

Overbilling context.

control-plane-message-rate-limit

integer

control plane message rate limit

default-apn-action

string

default apn action

Choices:

  • allow

  • deny

default-imsi-action

string

default imsi action

Choices:

  • allow

  • deny

default-ip-action

string

default action for encapsulated IP traffic

Choices:

  • allow

  • deny

default-noip-action

string

default action for encapsulated non-IP traffic

Choices:

  • allow

  • deny

default-policy-action

string

default advanced policy action

Choices:

  • allow

  • deny

denied-log

string

log denied

Choices:

  • disable

  • enable

echo-request-interval

integer

echo request interval (in seconds)

extension-log

string

log in extension format

Choices:

  • disable

  • enable

forwarded-log

string

log forwarded

Choices:

  • disable

  • enable

global-tunnel-limit

string

Global tunnel limit.

gtp-in-gtp

string

gtp in gtp

Choices:

  • allow

  • deny

gtpu-denied-log

string

Enable/disable logging of denied GTP-U packets.

Choices:

  • disable

  • enable

gtpu-forwarded-log

string

Enable/disable logging of forwarded GTP-U packets.

Choices:

  • disable

  • enable

gtpu-log-freq

integer

Logging of frequency of GTP-U packets.

half-close-timeout

integer

Half-close tunnel timeout (in seconds).

half-open-timeout

integer

Half-open tunnel timeout (in seconds).

handover-group

string

Handover SGSN group

handover-group6

string

Handover SGSN/SGW IPv6 group.

ie-allow-list-v0v1

string

IE allow list.

ie-allow-list-v2

string

IE allow list.

ie-remove-policy

list / elements=string

Ie-Remove-Policy.

id

integer

ID.

remove-ies

list / elements=string

GTP IEs to be removed.

Choices:

  • apn-restriction

  • rat-type

  • rai

  • uli

  • imei

sgsn-addr

string

SGSN address name.

sgsn-addr6

string

SGSN IPv6 address name.

ie-remover

string

IE removal policy.

Choices:

  • disable

  • enable

ie-validation

dictionary

no description

apn-restriction

string

Validate APN restriction.

Choices:

  • disable

  • enable

charging-gateway-addr

string

Validate charging gateway address.

Choices:

  • disable

  • enable

charging-ID

string

Validate charging ID.

Choices:

  • disable

  • enable

end-user-addr

string

Validate end user address.

Choices:

  • disable

  • enable

gsn-addr

string

Validate GSN address.

Choices:

  • disable

  • enable

imei

string

Validate IMEI(SV).

Choices:

  • disable

  • enable

imsi

string

Validate IMSI.

Choices:

  • disable

  • enable

mm-context

string

Validate MM context.

Choices:

  • disable

  • enable

ms-tzone

string

Validate MS time zone.

Choices:

  • disable

  • enable

ms-validated

string

Validate MS validated.

Choices:

  • disable

  • enable

msisdn

string

Validate MSISDN.

Choices:

  • disable

  • enable

nsapi

string

Validate NSAPI.

Choices:

  • disable

  • enable

pdp-context

string

Validate PDP context.

Choices:

  • disable

  • enable

qos-profile

string

Validate Quality of Service(QoS) profile.

Choices:

  • disable

  • enable

rai

string

Validate RAI.

Choices:

  • disable

  • enable

rat-type

string

Validate RAT type.

Choices:

  • disable

  • enable

reordering-required

string

Validate re-ordering required.

Choices:

  • disable

  • enable

selection-mode

string

Validate selection mode.

Choices:

  • disable

  • enable

uli

string

Validate user location information.

Choices:

  • disable

  • enable

ie-white-list-v0v1

string

IE white list.

ie-white-list-v2

string

IE white list.

imsi

list / elements=string

Imsi.

action

string

Action.

Choices:

  • allow

  • deny

apnmember

string

APN member.

id

integer

ID.

mcc-mnc

string

MCC MNC.

msisdn-prefix

string

MSISDN prefix.

selection-mode

list / elements=string

APN selection mode.

Choices:

  • ms

  • net

  • vrf

imsi-filter

string

imsi filter

Choices:

  • disable

  • enable

interface-notify

string

overbilling interface

invalid-reserved-field

string

Invalid reserved field in GTP header

Choices:

  • allow

  • deny

invalid-sgsns-to-log

string

Invalid SGSN group to be logged

invalid-sgsns6-to-log

string

Invalid SGSN IPv6 group to be logged.

ip-filter

string

IP filter for encapsulted traffic

Choices:

  • disable

  • enable

ip-policy

list / elements=string

Ip-Policy.

action

string

Action.

Choices:

  • allow

  • deny

dstaddr

string

Destination address name.

dstaddr6

string

Destination IPv6 address name.

id

integer

ID.

srcaddr

string

Source address name.

srcaddr6

string

Source IPv6 address name.

log-freq

integer

Logging of frequency of GTP-C packets.

log-gtpu-limit

integer

the user data log limit (0-512 bytes)

log-imsi-prefix

string

IMSI prefix for selective logging.

log-msisdn-prefix

string

the msisdn prefix for selective logging

max-message-length

integer

max message length

message-filter-v0v1

string

Message filter.

message-filter-v2

string

Message filter.

message-rate-limit

dictionary

no description

create-aa-pdp-request

integer

Rate limit for create AA PDP context request (packets per second).

create-aa-pdp-response

integer

Rate limit for create AA PDP context response (packets per second).

create-mbms-request

integer

Rate limit for create MBMS context request (packets per second).

create-mbms-response

integer

Rate limit for create MBMS context response (packets per second).

create-pdp-request

integer

Rate limit for create PDP context request (packets per second).

create-pdp-response

integer

Rate limit for create PDP context response (packets per second).

delete-aa-pdp-request

integer

Rate limit for delete AA PDP context request (packets per second).

delete-aa-pdp-response

integer

Rate limit for delete AA PDP context response (packets per second).

delete-mbms-request

integer

Rate limit for delete MBMS context request (packets per second).

delete-mbms-response

integer

Rate limit for delete MBMS context response (packets per second).

delete-pdp-request

integer

Rate limit for delete PDP context request (packets per second).

delete-pdp-response

integer

Rate limit for delete PDP context response (packets per second).

echo-reponse

integer

Rate limit for echo response (packets per second).

echo-request

integer

Rate limit for echo requests (packets per second).

error-indication

integer

Rate limit for error indication (packets per second).

failure-report-request

integer

Rate limit for failure report request (packets per second).

failure-report-response

integer

Rate limit for failure report response (packets per second).

fwd-reloc-complete-ack

integer

Rate limit for forward relocation complete acknowledge (packets per second).

fwd-relocation-complete

integer

Rate limit for forward relocation complete (packets per second).

fwd-relocation-request

integer

Rate limit for forward relocation request (packets per second).

fwd-relocation-response

integer

Rate limit for forward relocation response (packets per second).

fwd-srns-context

integer

Rate limit for forward SRNS context (packets per second).

fwd-srns-context-ack

integer

Rate limit for forward SRNS context acknowledge (packets per second).

g-pdu

integer

Rate limit for G-PDU (packets per second).

identification-request

integer

Rate limit for identification request (packets per second).

identification-response

integer

Rate limit for identification response (packets per second).

mbms-de-reg-request

integer

Rate limit for MBMS de-registration request (packets per second).

mbms-de-reg-response

integer

Rate limit for MBMS de-registration response (packets per second).

mbms-notify-rej-request

integer

Rate limit for MBMS notification reject request (packets per second).

mbms-notify-rej-response

integer

Rate limit for MBMS notification reject response (packets per second).

mbms-notify-request

integer

Rate limit for MBMS notification request (packets per second).

mbms-notify-response

integer

Rate limit for MBMS notification response (packets per second).

mbms-reg-request

integer

Rate limit for MBMS registration request (packets per second).

mbms-reg-response

integer

Rate limit for MBMS registration response (packets per second).

mbms-ses-start-request

integer

Rate limit for MBMS session start request (packets per second).

mbms-ses-start-response

integer

Rate limit for MBMS session start response (packets per second).

mbms-ses-stop-request

integer

Rate limit for MBMS session stop request (packets per second).

mbms-ses-stop-response

integer

Rate limit for MBMS session stop response (packets per second).

note-ms-request

integer

Rate limit for note MS GPRS present request (packets per second).

note-ms-response

integer

Rate limit for note MS GPRS present response (packets per second).

pdu-notify-rej-request

integer

Rate limit for PDU notify reject request (packets per second).

pdu-notify-rej-response

integer

Rate limit for PDU notify reject response (packets per second).

pdu-notify-request

integer

Rate limit for PDU notify request (packets per second).

pdu-notify-response

integer

Rate limit for PDU notify response (packets per second).

ran-info

integer

Rate limit for RAN information relay (packets per second).

relocation-cancel-request

integer

Rate limit for relocation cancel request (packets per second).

relocation-cancel-response

integer

Rate limit for relocation cancel response (packets per second).

send-route-request

integer

Rate limit for send routing information for GPRS request (packets per second).

send-route-response

integer

Rate limit for send routing information for GPRS response (packets per second).

sgsn-context-ack

integer

Rate limit for SGSN context acknowledgement (packets per second).

sgsn-context-request

integer

Rate limit for SGSN context request (packets per second).

sgsn-context-response

integer

Rate limit for SGSN context response (packets per second).

support-ext-hdr-notify

integer

Rate limit for support extension headers notification (packets per second).

update-mbms-request

integer

Rate limit for update MBMS context request (packets per second).

update-mbms-response

integer

Rate limit for update MBMS context response (packets per second).

update-pdp-request

integer

Rate limit for update PDP context request (packets per second).

update-pdp-response

integer

Rate limit for update PDP context response (packets per second).

version-not-support

integer

Rate limit for version not supported (packets per second).

message-rate-limit-v0

dictionary

no description

create-pdp-request

integer

Rate limit (packets/s) for create PDP context request.

delete-pdp-request

integer

Rate limit (packets/s) for delete PDP context request.

echo-request

integer

Rate limit (packets/s) for echo request.

message-rate-limit-v1

dictionary

no description

create-pdp-request

integer

Rate limit (packets/s) for create PDP context request.

delete-pdp-request

integer

Rate limit (packets/s) for delete PDP context request.

echo-request

integer

Rate limit (packets/s) for echo request.

message-rate-limit-v2

dictionary

no description

create-session-request

integer

Rate limit (packets/s) for create session request.

delete-session-request

integer

Rate limit (packets/s) for delete session request.

echo-request

integer

Rate limit (packets/s) for echo request.

min-message-length

integer

min message length

miss-must-ie

string

Missing mandatory information element

Choices:

  • allow

  • deny

monitor-mode

string

GTP monitor mode

Choices:

  • disable

  • enable

  • vdom

name

string

Profile name.

noip-filter

string

non-IP filter for encapsulted traffic

Choices:

  • disable

  • enable

noip-policy

list / elements=string

Noip-Policy.

action

string

Action.

Choices:

  • allow

  • deny

end

integer

End of protocol range (0 - 255).

id

integer

ID.

start

integer

Start of protocol range (0 - 255).

type

string

Protocol field type.

Choices:

  • etsi

  • ietf

out-of-state-ie

string

Out of state information element.

Choices:

  • allow

  • deny

out-of-state-message

string

Out of state GTP message

Choices:

  • allow

  • deny

per-apn-shaper

list / elements=string

Per-Apn-Shaper.

apn

string

APN name.

id

integer

ID.

rate-limit

integer

Rate limit (packets/s) for create PDP context request.

version

integer

GTP version number: 0 or 1.

policy

list / elements=string

Policy.

action

string

Action.

Choices:

  • allow

  • deny

apn-sel-mode

list / elements=string

APN selection mode.

Choices:

  • ms

  • net

  • vrf

apnmember

string

APN member.

id

integer

ID.

imei

string

IMEI(SV) pattern.

imsi

string

IMSI prefix.

imsi-prefix

string

IMSI prefix.

max-apn-restriction

string

Maximum APN restriction value.

Choices:

  • all

  • public-1

  • public-2

  • private-1

  • private-2

messages

list / elements=string

GTP messages.

Choices:

  • create-req

  • create-res

  • update-req

  • update-res

msisdn

string

MSISDN prefix.

msisdn-prefix

string

MSISDN prefix.

rai

string

RAI pattern.

rat-type

list / elements=string

RAT Type.

Choices:

  • any

  • utran

  • geran

  • wlan

  • gan

  • hspa

  • eutran

  • virtual

  • nbiot

uli

string

ULI pattern.

policy-filter

string

Advanced policy filter

Choices:

  • disable

  • enable

policy-v2

list / elements=string

Policy-V2.

action

string

Action.

Choices:

  • deny

  • allow

apn-sel-mode

list / elements=string

APN selection mode.

Choices:

  • ms

  • net

  • vrf

apnmember

string

APN member.

id

integer

ID.

imsi-prefix

string

IMSI prefix.

max-apn-restriction

string

Maximum APN restriction value.

Choices:

  • all

  • public-1

  • public-2

  • private-1

  • private-2

mei

string

MEI pattern.

messages

list / elements=string

GTP messages.

Choices:

  • create-ses-req

  • create-ses-res

  • modify-bearer-req

  • modify-bearer-res

msisdn-prefix

string

MSISDN prefix.

rat-type

list / elements=string

RAT Type.

Choices:

  • any

  • utran

  • geran

  • wlan

  • gan

  • hspa

  • eutran

  • virtual

  • nbiot

  • ltem

  • nr

uli

string

GTPv2 ULI patterns (in order of CGI SAI RAI TAI ECGI LAI).

port-notify

integer

overbilling notify port

rate-limit-mode

string

GTP rate limit mode.

Choices:

  • per-profile

  • per-stream

  • per-apn

rate-limited-log

string

log rate limited

Choices:

  • disable

  • enable

rate-sampling-interval

integer

rate sampling interval (1-3600 seconds)

remove-if-echo-expires

string

remove if echo response expires

Choices:

  • disable

  • enable

remove-if-recovery-differ

string

remove upon different Recovery IE

Choices:

  • disable

  • enable

reserved-ie

string

reserved information element

Choices:

  • allow

  • deny

send-delete-when-timeout

string

send DELETE request to path endpoints when GTPv0/v1 tunnel timeout.

Choices:

  • disable

  • enable

send-delete-when-timeout-v2

string

send DELETE request to path endpoints when GTPv2 tunnel timeout.

Choices:

  • disable

  • enable

spoof-src-addr

string

Spoofed source address for Mobile Station.

Choices:

  • allow

  • deny

state-invalid-log

string

log state invalid

Choices:

  • disable

  • enable

sub-second-interval

string

Sub-second interval (0.1, 0.25, or 0.5 sec, default = 0.5).

Choices:

  • 0.1

  • 0.25

  • 0.5

sub-second-sampling

string

Enable/disable sub-second sampling.

Choices:

  • disable

  • enable

traffic-count-log

string

log tunnel traffic counter

Choices:

  • disable

  • enable

tunnel-limit

integer

tunnel limit

tunnel-limit-log

string

tunnel limit

Choices:

  • disable

  • enable

tunnel-timeout

integer

Established tunnel timeout (in seconds).

unknown-version-action

string

action for unknown gtp version

Choices:

  • allow

  • deny

user-plane-message-rate-limit

integer

user plane message rate limit

warning-threshold

integer

Warning threshold for rate limiting (0 - 99 percent).

proposed_method

string

The overridden method for the underlying Json RPC request

Choices:

  • update

  • set

  • add

rc_failed

list / elements=string

the rc codes list with which the conditions to fail will be overriden

rc_succeeded

list / elements=string

the rc codes list with which the conditions to succeed will be overriden

state

string / required

the directive to create, update or delete an object

Choices:

  • present

  • absent

workspace_locking_adom

string

the adom to lock for FortiManager running in workspace mode, the value can be global and others including root

workspace_locking_timeout

integer

the maximum time in seconds to wait for other user to release the workspace lock

Default: 300

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- hosts: fortimanager00
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure GTP.
     fmgr_firewall_gtp:
        bypass_validation: False
        adom: FortiCarrier # This is FOC-only object, need a FortiCarrier adom
        state: present
        firewall_gtp:
           monitor-mode: disable #<value in [disable, enable, vdom]>
           name: 'ansible-test'

- name: gathering fortimanager facts
  hosts: fortimanager00
  gather_facts: no
  connection: httpapi
  collections:
    - fortinet.fortimanager
  vars:
    ansible_httpapi_use_ssl: True
    ansible_httpapi_validate_certs: False
    ansible_httpapi_port: 443
  tasks:
   - name: retrieve all the GTPs
     fmgr_fact:
       facts:
           selector: 'firewall_gtp'
           params:
               adom: 'FortiCarrier' # This is FOC-only object, need a FortiCarrier adom
               gtp: ''

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

request_url

string

The full url requested

Returned: always

Sample: “/sys/login/user”

response_code

integer

The status of api request

Returned: always

Sample: 0

response_message

string

The descriptive message of the api response

Returned: always

Sample: “OK.”

Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)