fortinet.fortimanager.fmgr_firewall_gtp module – Configure GTP.

Note

This module is part of the fortinet.fortimanager collection (version 2.8.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_firewall_gtp.

New in fortinet.fortimanager 2.0.0

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter

Comments

access_token

string

The token to access FortiManager without using username and password.

adom

string / required

The parameter (adom) in requested url.

bypass_validation

boolean

Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters.

Choices:

  • false ← (default)

  • true

enable_log

boolean

Enable/Disable logging for task.

Choices:

  • false ← (default)

  • true

firewall_gtp

dictionary

The top level parameters set.

addr_notify

string

Overbilling notify address

apn

list / elements=dictionary

Apn.

action

string

Action.

Choices:

  • "allow"

  • "deny"

apnmember

any

(list or str) APN member.

id

integer

ID.

selection_mode

list / elements=string

APN selection mode.

Choices:

  • "ms"

  • "net"

  • "vrf"

apn_filter

string

Apn filter

Choices:

  • "disable"

  • "enable"

authorized_ggsns

string

Authorized GGSN group

authorized_ggsns6

string

Authorized GGSN/PGW IPv6 group.

authorized_sgsns

string

Authorized SGSN group

authorized_sgsns6

string

Authorized SGSN/SGW IPv6 group.

comment

string

Comment.

context_id

integer

Overbilling context.

control_plane_message_rate_limit

integer

Control plane message rate limit

default_apn_action

string

Default apn action

Choices:

  • "allow"

  • "deny"

default_imsi_action

string

Default imsi action

Choices:

  • "allow"

  • "deny"

default_ip_action

string

Default action for encapsulated IP traffic

Choices:

  • "allow"

  • "deny"

default_noip_action

string

Default action for encapsulated non-IP traffic

Choices:

  • "allow"

  • "deny"

default_policy_action

string

Default advanced policy action

Choices:

  • "allow"

  • "deny"

denied_log

string

Log denied

Choices:

  • "disable"

  • "enable"

echo_request_interval

integer

Echo request interval

extension_log

string

Log in extension format

Choices:

  • "disable"

  • "enable"

forwarded_log

string

Log forwarded

Choices:

  • "disable"

  • "enable"

global_tunnel_limit

string

Global tunnel limit.

gtp_in_gtp

string

Gtp in gtp

Choices:

  • "allow"

  • "deny"

gtpu_denied_log

string

Enable/disable logging of denied GTP-U packets.

Choices:

  • "disable"

  • "enable"

gtpu_forwarded_log

string

Enable/disable logging of forwarded GTP-U packets.

Choices:

  • "disable"

  • "enable"

gtpu_log_freq

integer

Logging of frequency of GTP-U packets.

gtpv0

string

GTPv0 traffic.

Choices:

  • "allow"

  • "deny"

half_close_timeout

integer

Half-close tunnel timeout

half_open_timeout

integer

Half-open tunnel timeout

handover_group

string

Handover SGSN group

handover_group6

string

Handover SGSN/SGW IPv6 group.

ie_allow_list_v0v1

string

IE allow list.

ie_allow_list_v2

string

IE allow list.

ie_remove_policy

list / elements=dictionary

Ie remove policy.

id

integer

ID.

remove_ies

list / elements=string

GTP IEs to be removed.

Choices:

  • "apn-restriction"

  • "rat-type"

  • "rai"

  • "uli"

  • "imei"

sgsn_addr

string

SGSN address name.

sgsn_addr6

string

SGSN IPv6 address name.

ie_remover

string

IE removal policy.

Choices:

  • "disable"

  • "enable"

ie_validation

dictionary

Ie validation.

apn_restriction

string

Validate APN restriction.

Choices:

  • "disable"

  • "enable"

charging_gateway_addr

string

Validate charging gateway address.

Choices:

  • "disable"

  • "enable"

charging_ID

string

Validate charging ID.

Choices:

  • "disable"

  • "enable"

end_user_addr

string

Validate end user address.

Choices:

  • "disable"

  • "enable"

gsn_addr

string

Validate GSN address.

Choices:

  • "disable"

  • "enable"

imei

string

Validate IMEI

Choices:

  • "disable"

  • "enable"

imsi

string

Validate IMSI.

Choices:

  • "disable"

  • "enable"

mm_context

string

Validate MM context.

Choices:

  • "disable"

  • "enable"

ms_tzone

string

Validate MS time zone.

Choices:

  • "disable"

  • "enable"

ms_validated

string

Validate MS validated.

Choices:

  • "disable"

  • "enable"

msisdn

string

Validate MSISDN.

Choices:

  • "disable"

  • "enable"

nsapi

string

Validate NSAPI.

Choices:

  • "disable"

  • "enable"

pdp_context

string

Validate PDP context.

Choices:

  • "disable"

  • "enable"

qos_profile

string

Validate Quality of Service

Choices:

  • "disable"

  • "enable"

rai

string

Validate RAI.

Choices:

  • "disable"

  • "enable"

rat_type

string

Validate RAT type.

Choices:

  • "disable"

  • "enable"

reordering_required

string

Validate re-ordering required.

Choices:

  • "disable"

  • "enable"

selection_mode

string

Validate selection mode.

Choices:

  • "disable"

  • "enable"

uli

string

Validate user location information.

Choices:

  • "disable"

  • "enable"

ie_white_list_v0v1

string

IE white list.

ie_white_list_v2

string

IE white list.

imsi

list / elements=dictionary

Imsi.

action

string

Action.

Choices:

  • "allow"

  • "deny"

apnmember

any

(list or str) APN member.

id

integer

ID.

mcc_mnc

string

MCC MNC.

msisdn_prefix

string

MSISDN prefix.

selection_mode

list / elements=string

APN selection mode.

Choices:

  • "ms"

  • "net"

  • "vrf"

imsi_filter

string

Imsi filter

Choices:

  • "disable"

  • "enable"

interface_notify

string

Overbilling interface

invalid_reserved_field

string

Invalid reserved field in GTP header

Choices:

  • "allow"

  • "deny"

invalid_sgsns6_to_log

string

Invalid SGSN IPv6 group to be logged.

invalid_sgsns_to_log

string

Invalid SGSN group to be logged

ip_filter

string

IP filter for encapsulted traffic

Choices:

  • "disable"

  • "enable"

ip_policy

list / elements=dictionary

Ip policy.

action

string

Action.

Choices:

  • "allow"

  • "deny"

dstaddr

string

Destination address name.

dstaddr6

string

Destination IPv6 address name.

id

integer

ID.

srcaddr

string

Source address name.

srcaddr6

string

Source IPv6 address name.

log_freq

integer

Logging of frequency of GTP-C packets.

log_gtpu_limit

integer

The user data log limit

log_imsi_prefix

string

IMSI prefix for selective logging.

log_msisdn_prefix

string

The msisdn prefix for selective logging

max_message_length

integer

Max message length

message_filter

dictionary

Message filter.

create_aa_pdp

string

Create AA PDP.

Choices:

  • "allow"

  • "deny"

create_mbms

string

Create MBMS.

Choices:

  • "allow"

  • "deny"

create_pdp

string

Create PDP.

Choices:

  • "allow"

  • "deny"

data_record

string

Data record.

Choices:

  • "allow"

  • "deny"

delete_aa_pdp

string

Delete AA PDP.

Choices:

  • "allow"

  • "deny"

delete_mbms

string

Delete MBMS.

Choices:

  • "allow"

  • "deny"

delete_pdp

string

Delete PDP.

Choices:

  • "allow"

  • "deny"

echo

string

Echo.

Choices:

  • "allow"

  • "deny"

error_indication

string

Error indication.

Choices:

  • "allow"

  • "deny"

failure_report

string

Failure report.

Choices:

  • "allow"

  • "deny"

fwd_relocation

string

Forward relocation.

Choices:

  • "allow"

  • "deny"

fwd_srns_context

string

Forward SRNS context.

Choices:

  • "allow"

  • "deny"

gtp_pdu

string

GTP PDU.

Choices:

  • "allow"

  • "deny"

identification

string

Identification.

Choices:

  • "allow"

  • "deny"

mbms_notification

string

MBMS notification.

Choices:

  • "allow"

  • "deny"

node_alive

string

Node alive.

Choices:

  • "allow"

  • "deny"

note_ms_present

string

Note MS present.

Choices:

  • "allow"

  • "deny"

pdu_notification

string

PDU notification.

Choices:

  • "allow"

  • "deny"

ran_info

string

Ran info.

Choices:

  • "allow"

  • "deny"

redirection

string

Redirection.

Choices:

  • "allow"

  • "deny"

relocation_cancel

string

Relocation cancel.

Choices:

  • "allow"

  • "deny"

send_route

string

Send route.

Choices:

  • "allow"

  • "deny"

sgsn_context

string

SGSN context.

Choices:

  • "allow"

  • "deny"

support_extension

string

Support extension.

Choices:

  • "allow"

  • "deny"

unknown_message_action

string

Unknown message action.

Choices:

  • "allow"

  • "deny"

update_mbms

string

Update MBMS.

Choices:

  • "allow"

  • "deny"

update_pdp

string

Update PDP.

Choices:

  • "allow"

  • "deny"

version_not_support

string

Version not supported.

Choices:

  • "allow"

  • "deny"

message_filter_v0v1

string

Message filter.

message_filter_v2

string

Message filter.

message_rate_limit

dictionary

Message rate limit.

create_aa_pdp_request

integer

Rate limit for create AA PDP context request

create_aa_pdp_response

integer

Rate limit for create AA PDP context response

create_mbms_request

integer

Rate limit for create MBMS context request

create_mbms_response

integer

Rate limit for create MBMS context response

create_pdp_request

integer

Rate limit for create PDP context request

create_pdp_response

integer

Rate limit for create PDP context response

delete_aa_pdp_request

integer

Rate limit for delete AA PDP context request

delete_aa_pdp_response

integer

Rate limit for delete AA PDP context response

delete_mbms_request

integer

Rate limit for delete MBMS context request

delete_mbms_response

integer

Rate limit for delete MBMS context response

delete_pdp_request

integer

Rate limit for delete PDP context request

delete_pdp_response

integer

Rate limit for delete PDP context response

echo_reponse

integer

Rate limit for echo response

echo_request

integer

Rate limit for echo requests

echo_response

integer

Rate limit for echo response

error_indication

integer

Rate limit for error indication

failure_report_request

integer

Rate limit for failure report request

failure_report_response

integer

Rate limit for failure report response

fwd_reloc_complete_ack

integer

Rate limit for forward relocation complete acknowledge

fwd_relocation_complete

integer

Rate limit for forward relocation complete

fwd_relocation_request

integer

Rate limit for forward relocation request

fwd_relocation_response

integer

Rate limit for forward relocation response

fwd_srns_context

integer

Rate limit for forward SRNS context

fwd_srns_context_ack

integer

Rate limit for forward SRNS context acknowledge

g_pdu

integer

Rate limit for G-PDU

identification_request

integer

Rate limit for identification request

identification_response

integer

Rate limit for identification response

mbms_de_reg_request

integer

Rate limit for MBMS de-registration request

mbms_de_reg_response

integer

Rate limit for MBMS de-registration response

mbms_notify_rej_request

integer

Rate limit for MBMS notification reject request

mbms_notify_rej_response

integer

Rate limit for MBMS notification reject response

mbms_notify_request

integer

Rate limit for MBMS notification request

mbms_notify_response

integer

Rate limit for MBMS notification response

mbms_reg_request

integer

Rate limit for MBMS registration request

mbms_reg_response

integer

Rate limit for MBMS registration response

mbms_ses_start_request

integer

Rate limit for MBMS session start request

mbms_ses_start_response

integer

Rate limit for MBMS session start response

mbms_ses_stop_request

integer

Rate limit for MBMS session stop request

mbms_ses_stop_response

integer

Rate limit for MBMS session stop response

note_ms_request

integer

Rate limit for note MS GPRS present request

note_ms_response

integer

Rate limit for note MS GPRS present response

pdu_notify_rej_request

integer

Rate limit for PDU notify reject request

pdu_notify_rej_response

integer

Rate limit for PDU notify reject response

pdu_notify_request

integer

Rate limit for PDU notify request

pdu_notify_response

integer

Rate limit for PDU notify response

ran_info

integer

Rate limit for RAN information relay

relocation_cancel_request

integer

Rate limit for relocation cancel request

relocation_cancel_response

integer

Rate limit for relocation cancel response

send_route_request

integer

Rate limit for send routing information for GPRS request

send_route_response

integer

Rate limit for send routing information for GPRS response

sgsn_context_ack

integer

Rate limit for SGSN context acknowledgement

sgsn_context_request

integer

Rate limit for SGSN context request

sgsn_context_response

integer

Rate limit for SGSN context response

support_ext_hdr_notify

integer

Rate limit for support extension headers notification

update_mbms_request

integer

Rate limit for update MBMS context request

update_mbms_response

integer

Rate limit for update MBMS context response

update_pdp_request

integer

Rate limit for update PDP context request

update_pdp_response

integer

Rate limit for update PDP context response

version_not_support

integer

Rate limit for version not supported

message_rate_limit_v0

dictionary

Message rate limit v0.

create_pdp_request

integer

Rate limit

delete_pdp_request

integer

Rate limit

echo_request

integer

Rate limit

message_rate_limit_v1

dictionary

Message rate limit v1.

create_pdp_request

integer

Rate limit

delete_pdp_request

integer

Rate limit

echo_request

integer

Rate limit

message_rate_limit_v2

dictionary

Message rate limit v2.

create_session_request

integer

Rate limit

delete_session_request

integer

Rate limit

echo_request

integer

Rate limit

min_message_length

integer

Min message length

miss_must_ie

string

Missing mandatory information element

Choices:

  • "allow"

  • "deny"

monitor_mode

string

GTP monitor mode

Choices:

  • "disable"

  • "enable"

  • "vdom"

name

string / required

Profile name.

noip_filter

string

Non-IP filter for encapsulted traffic

Choices:

  • "disable"

  • "enable"

noip_policy

list / elements=dictionary

Noip policy.

action

string

Action.

Choices:

  • "allow"

  • "deny"

end

integer

End of protocol range

id

integer

ID.

start

integer

Start of protocol range

type

string

Protocol field type.

Choices:

  • "etsi"

  • "ietf"

out_of_state_ie

string

Out of state information element.

Choices:

  • "allow"

  • "deny"

out_of_state_message

string

Out of state GTP message

Choices:

  • "allow"

  • "deny"

per_apn_shaper

list / elements=dictionary

Per apn shaper.

apn

string

APN name.

id

integer

ID.

rate_limit

integer

Rate limit

version

integer

GTP version number

policy

list / elements=dictionary

Policy.

action

string

Action.

Choices:

  • "allow"

  • "deny"

apn

string

APN subfix.

apn_sel_mode

list / elements=string

APN selection mode.

Choices:

  • "ms"

  • "net"

  • "vrf"

apnmember

any

(list or str) APN member.

id

integer

ID.

imei

string

IMEI

imsi

string

IMSI prefix.

imsi_prefix

string

IMSI prefix.

max_apn_restriction

string

Maximum APN restriction value.

Choices:

  • "all"

  • "public-1"

  • "public-2"

  • "private-1"

  • "private-2"

messages

list / elements=string

GTP messages.

Choices:

  • "create-req"

  • "create-res"

  • "update-req"

  • "update-res"

msisdn

string

MSISDN prefix.

msisdn_prefix

string

MSISDN prefix.

rai

string

RAI pattern.

rat_type

list / elements=string

RAT Type.

Choices:

  • "any"

  • "utran"

  • "geran"

  • "wlan"

  • "gan"

  • "hspa"

  • "eutran"

  • "virtual"

  • "nbiot"

uli

string

ULI pattern.

policy_filter

string

Advanced policy filter

Choices:

  • "disable"

  • "enable"

policy_v2

list / elements=dictionary

Policy v2.

action

string

Action.

Choices:

  • "deny"

  • "allow"

apn_sel_mode

list / elements=string

APN selection mode.

Choices:

  • "ms"

  • "net"

  • "vrf"

apnmember

any

(list or str) APN member.

id

integer

ID.

imsi_prefix

string

IMSI prefix.

max_apn_restriction

string

Maximum APN restriction value.

Choices:

  • "all"

  • "public-1"

  • "public-2"

  • "private-1"

  • "private-2"

mei

string

MEI pattern.

messages

list / elements=string

GTP messages.

Choices:

  • "create-ses-req"

  • "create-ses-res"

  • "modify-bearer-req"

  • "modify-bearer-res"

msisdn_prefix

string

MSISDN prefix.

rat_type

list / elements=string

RAT Type.

Choices:

  • "any"

  • "utran"

  • "geran"

  • "wlan"

  • "gan"

  • "hspa"

  • "eutran"

  • "virtual"

  • "nbiot"

  • "ltem"

  • "nr"

uli

any

(list) GTPv2 ULI patterns

port_notify

integer

Overbilling notify port

rat_timeout_profile

string

RAT timeout profile.

rate_limit_mode

string

GTP rate limit mode.

Choices:

  • "per-profile"

  • "per-stream"

  • "per-apn"

rate_limited_log

string

Log rate limited

Choices:

  • "disable"

  • "enable"

rate_sampling_interval

integer

Rate sampling interval

remove_if_echo_expires

string

Remove if echo response expires

Choices:

  • "disable"

  • "enable"

remove_if_recovery_differ

string

Remove upon different Recovery IE

Choices:

  • "disable"

  • "enable"

reserved_ie

string

Reserved information element

Choices:

  • "allow"

  • "deny"

send_delete_when_timeout

string

Send DELETE request to path endpoints when GTPv0/v1 tunnel timeout.

Choices:

  • "disable"

  • "enable"

send_delete_when_timeout_v2

string

Send DELETE request to path endpoints when GTPv2 tunnel timeout.

Choices:

  • "disable"

  • "enable"

spoof_src_addr

string

Spoofed source address for Mobile Station.

Choices:

  • "allow"

  • "deny"

state_invalid_log

string

Log state invalid

Choices:

  • "disable"

  • "enable"

sub_second_interval

string

Sub-second interval

Choices:

  • "0.1"

  • "0.25"

  • "0.5"

sub_second_sampling

string

Enable/disable sub-second sampling.

Choices:

  • "disable"

  • "enable"

traffic_count_log

string

Log tunnel traffic counter

Choices:

  • "disable"

  • "enable"

tunnel_limit

integer

Tunnel limit

tunnel_limit_log

string

Tunnel limit

Choices:

  • "disable"

  • "enable"

tunnel_timeout

integer

Established tunnel timeout

unknown_version_action

string

Action for unknown gtp version

Choices:

  • "allow"

  • "deny"

user_plane_message_rate_limit

integer

User plane message rate limit

warning_threshold

integer

Warning threshold for rate limiting

forticloud_access_token

string

Authenticate Ansible client with forticloud API access token.

proposed_method

string

The overridden method for the underlying Json RPC request.

Choices:

  • "update"

  • "set"

  • "add"

rc_failed

list / elements=integer

The rc codes list with which the conditions to fail will be overriden.

rc_succeeded

list / elements=integer

The rc codes list with which the conditions to succeed will be overriden.

state

string / required

The directive to create, update or delete an object.

Choices:

  • "present"

  • "absent"

workspace_locking_adom

string

The adom to lock for FortiManager running in workspace mode, the value can be global and others including root.

workspace_locking_timeout

integer

The maximum time in seconds to wait for other user to release the workspace lock.

Default: 300

Notes

Note

  • Starting in version 2.4.0, all input arguments are named using the underscore naming convention (snake_case). Please change the arguments such as “var-name” to “var_name”. Old argument names are still available yet you will receive deprecation warnings. You can ignore this warning by setting deprecation_warnings=False in ansible.cfg.

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: Example playbook
  hosts: fortimanagers
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Configure GTP.
      fortinet.fortimanager.fmgr_firewall_gtp:
        bypass_validation: false
        adom: FortiCarrier # This is FOC-only object, need a FortiCarrier adom
        state: present
        firewall_gtp:
          monitor-mode: disable # <value in [disable, enable, vdom]>
          name: "ansible-test"

- name: Gathering fortimanager facts
  hosts: fortimanagers
  gather_facts: false
  connection: httpapi
  vars:
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
    - name: Retrieve all the GTPs
      fortinet.fortimanager.fmgr_fact:
        facts:
          selector: "firewall_gtp"
          params:
            adom: "FortiCarrier" # This is FOC-only object, need a FortiCarrier adom
            gtp: "your_value"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

meta

dictionary

The result of the request.

Returned: always

request_url

string

The full url requested.

Returned: always

Sample: "/sys/login/user"

response_code

integer

The status of api request.

Returned: always

Sample: 0

response_data

list / elements=string

The api response.

Returned: always

response_message

string

The descriptive message of the api response.

Returned: always

Sample: "OK."

system_information

dictionary

The information of the target system.

Returned: always

rc

integer

The status the request.

Returned: always

Sample: 0

version_check_warning

list / elements=string

Warning if the parameters used in the playbook are not supported by the current FortiManager version.

Returned: complex

Authors

  • Xinwei Du (@dux-fortinet)

  • Xing Li (@lix-fortinet)

  • Jie Xue (@JieX19)

  • Link Zheng (@chillancezen)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)