fortinet.fortimanager.fmgr_firewall_gtp – Configure GTP.

Note

This plugin is part of the fortinet.fortimanager collection (version 2.1.4).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install fortinet.fortimanager.

To use it in a playbook, specify: fortinet.fortimanager.fmgr_firewall_gtp.

New in version 2.10: of fortinet.fortimanager

Synopsis

  • This module is able to configure a FortiManager device.

  • Examples include all parameters and values which need to be adjusted to data sources before usage.

Parameters

Parameter Choices/Defaults Comments
adom
string / required
the parameter (adom) in requested url
bypass_validation
boolean
    Choices:
  • no ←
  • yes
only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters
enable_log
boolean
    Choices:
  • no ←
  • yes
Enable/Disable logging for task
firewall_gtp
dictionary
the top level parameters set
addr-notify
string
overbilling notify address
apn
list / elements=string
Apn.
action
string
    Choices:
  • allow
  • deny
Action.
apnmember
string
APN member.
id
integer
ID.
selection-mode
list / elements=string
    Choices:
  • ms
  • net
  • vrf
APN selection mode.
apn-filter
string
    Choices:
  • disable
  • enable
apn filter
authorized-ggsns
string
Authorized GGSN group
authorized-ggsns6
string
Authorized GGSN/PGW IPv6 group.
authorized-sgsns
string
Authorized SGSN group
authorized-sgsns6
string
Authorized SGSN/SGW IPv6 group.
comment
string
Comment.
context-id
integer
Overbilling context.
control-plane-message-rate-limit
integer
control plane message rate limit
default-apn-action
string
    Choices:
  • allow
  • deny
default apn action
default-imsi-action
string
    Choices:
  • allow
  • deny
default imsi action
default-ip-action
string
    Choices:
  • allow
  • deny
default action for encapsulated IP traffic
default-noip-action
string
    Choices:
  • allow
  • deny
default action for encapsulated non-IP traffic
default-policy-action
string
    Choices:
  • allow
  • deny
default advanced policy action
denied-log
string
    Choices:
  • disable
  • enable
log denied
echo-request-interval
integer
echo request interval (in seconds)
extension-log
string
    Choices:
  • disable
  • enable
log in extension format
forwarded-log
string
    Choices:
  • disable
  • enable
log forwarded
global-tunnel-limit
string
Global tunnel limit.
gtp-in-gtp
string
    Choices:
  • allow
  • deny
gtp in gtp
gtpu-denied-log
string
    Choices:
  • disable
  • enable
Enable/disable logging of denied GTP-U packets.
gtpu-forwarded-log
string
    Choices:
  • disable
  • enable
Enable/disable logging of forwarded GTP-U packets.
gtpu-log-freq
integer
Logging of frequency of GTP-U packets.
half-close-timeout
integer
Half-close tunnel timeout (in seconds).
half-open-timeout
integer
Half-open tunnel timeout (in seconds).
handover-group
string
Handover SGSN group
handover-group6
string
Handover SGSN/SGW IPv6 group.
ie-allow-list-v0v1
string
IE allow list.
ie-allow-list-v2
string
IE allow list.
ie-remove-policy
list / elements=string
Ie-Remove-Policy.
id
integer
ID.
remove-ies
list / elements=string
    Choices:
  • apn-restriction
  • rat-type
  • rai
  • uli
  • imei
GTP IEs to be removed.
sgsn-addr
string
SGSN address name.
sgsn-addr6
string
SGSN IPv6 address name.
ie-remover
string
    Choices:
  • disable
  • enable
IE removal policy.
ie-validation
dictionary
no description
apn-restriction
string
    Choices:
  • disable
  • enable
Validate APN restriction.
charging-gateway-addr
string
    Choices:
  • disable
  • enable
Validate charging gateway address.
charging-ID
string
    Choices:
  • disable
  • enable
Validate charging ID.
end-user-addr
string
    Choices:
  • disable
  • enable
Validate end user address.
gsn-addr
string
    Choices:
  • disable
  • enable
Validate GSN address.
imei
string
    Choices:
  • disable
  • enable
Validate IMEI(SV).
imsi
string
    Choices:
  • disable
  • enable
Validate IMSI.
mm-context
string
    Choices:
  • disable
  • enable
Validate MM context.
ms-tzone
string
    Choices:
  • disable
  • enable
Validate MS time zone.
ms-validated
string
    Choices:
  • disable
  • enable
Validate MS validated.
msisdn
string
    Choices:
  • disable
  • enable
Validate MSISDN.
nsapi
string
    Choices:
  • disable
  • enable
Validate NSAPI.
pdp-context
string
    Choices:
  • disable
  • enable
Validate PDP context.
qos-profile
string
    Choices:
  • disable
  • enable
Validate Quality of Service(QoS) profile.
rai
string
    Choices:
  • disable
  • enable
Validate RAI.
rat-type
string
    Choices:
  • disable
  • enable
Validate RAT type.
reordering-required
string
    Choices:
  • disable
  • enable
Validate re-ordering required.
selection-mode
string
    Choices:
  • disable
  • enable
Validate selection mode.
uli
string
    Choices:
  • disable
  • enable
Validate user location information.
ie-white-list-v0v1
string
IE white list.
ie-white-list-v2
string
IE white list.
imsi
list / elements=string
Imsi.
action
string
    Choices:
  • allow
  • deny
Action.
apnmember
string
APN member.
id
integer
ID.
mcc-mnc
string
MCC MNC.
msisdn-prefix
string
MSISDN prefix.
selection-mode
list / elements=string
    Choices:
  • ms
  • net
  • vrf
APN selection mode.
imsi-filter
string
    Choices:
  • disable
  • enable
imsi filter
interface-notify
string
overbilling interface
invalid-reserved-field
string
    Choices:
  • allow
  • deny
Invalid reserved field in GTP header
invalid-sgsns-to-log
string
Invalid SGSN group to be logged
invalid-sgsns6-to-log
string
Invalid SGSN IPv6 group to be logged.
ip-filter
string
    Choices:
  • disable
  • enable
IP filter for encapsulted traffic
ip-policy
list / elements=string
Ip-Policy.
action
string
    Choices:
  • allow
  • deny
Action.
dstaddr
string
Destination address name.
dstaddr6
string
Destination IPv6 address name.
id
integer
ID.
srcaddr
string
Source address name.
srcaddr6
string
Source IPv6 address name.
log-freq
integer
Logging of frequency of GTP-C packets.
log-gtpu-limit
integer
the user data log limit (0-512 bytes)
log-imsi-prefix
string
IMSI prefix for selective logging.
log-msisdn-prefix
string
the msisdn prefix for selective logging
max-message-length
integer
max message length
message-filter-v0v1
string
Message filter.
message-filter-v2
string
Message filter.
message-rate-limit
dictionary
no description
create-aa-pdp-request
integer
Rate limit for create AA PDP context request (packets per second).
create-aa-pdp-response
integer
Rate limit for create AA PDP context response (packets per second).
create-mbms-request
integer
Rate limit for create MBMS context request (packets per second).
create-mbms-response
integer
Rate limit for create MBMS context response (packets per second).
create-pdp-request
integer
Rate limit for create PDP context request (packets per second).
create-pdp-response
integer
Rate limit for create PDP context response (packets per second).
delete-aa-pdp-request
integer
Rate limit for delete AA PDP context request (packets per second).
delete-aa-pdp-response
integer
Rate limit for delete AA PDP context response (packets per second).
delete-mbms-request
integer
Rate limit for delete MBMS context request (packets per second).
delete-mbms-response
integer
Rate limit for delete MBMS context response (packets per second).
delete-pdp-request
integer
Rate limit for delete PDP context request (packets per second).
delete-pdp-response
integer
Rate limit for delete PDP context response (packets per second).
echo-reponse
integer
Rate limit for echo response (packets per second).
echo-request
integer
Rate limit for echo requests (packets per second).
error-indication
integer
Rate limit for error indication (packets per second).
failure-report-request
integer
Rate limit for failure report request (packets per second).
failure-report-response
integer
Rate limit for failure report response (packets per second).
fwd-reloc-complete-ack
integer
Rate limit for forward relocation complete acknowledge (packets per second).
fwd-relocation-complete
integer
Rate limit for forward relocation complete (packets per second).
fwd-relocation-request
integer
Rate limit for forward relocation request (packets per second).
fwd-relocation-response
integer
Rate limit for forward relocation response (packets per second).
fwd-srns-context
integer
Rate limit for forward SRNS context (packets per second).
fwd-srns-context-ack
integer
Rate limit for forward SRNS context acknowledge (packets per second).
g-pdu
integer
Rate limit for G-PDU (packets per second).
identification-request
integer
Rate limit for identification request (packets per second).
identification-response
integer
Rate limit for identification response (packets per second).
mbms-de-reg-request
integer
Rate limit for MBMS de-registration request (packets per second).
mbms-de-reg-response
integer
Rate limit for MBMS de-registration response (packets per second).
mbms-notify-rej-request
integer
Rate limit for MBMS notification reject request (packets per second).
mbms-notify-rej-response
integer
Rate limit for MBMS notification reject response (packets per second).
mbms-notify-request
integer
Rate limit for MBMS notification request (packets per second).
mbms-notify-response
integer
Rate limit for MBMS notification response (packets per second).
mbms-reg-request
integer
Rate limit for MBMS registration request (packets per second).
mbms-reg-response
integer
Rate limit for MBMS registration response (packets per second).
mbms-ses-start-request
integer
Rate limit for MBMS session start request (packets per second).
mbms-ses-start-response
integer
Rate limit for MBMS session start response (packets per second).
mbms-ses-stop-request
integer
Rate limit for MBMS session stop request (packets per second).
mbms-ses-stop-response
integer
Rate limit for MBMS session stop response (packets per second).
note-ms-request
integer
Rate limit for note MS GPRS present request (packets per second).
note-ms-response
integer
Rate limit for note MS GPRS present response (packets per second).
pdu-notify-rej-request
integer
Rate limit for PDU notify reject request (packets per second).
pdu-notify-rej-response
integer
Rate limit for PDU notify reject response (packets per second).
pdu-notify-request
integer
Rate limit for PDU notify request (packets per second).
pdu-notify-response
integer
Rate limit for PDU notify response (packets per second).
ran-info
integer
Rate limit for RAN information relay (packets per second).
relocation-cancel-request
integer
Rate limit for relocation cancel request (packets per second).
relocation-cancel-response
integer
Rate limit for relocation cancel response (packets per second).
send-route-request
integer
Rate limit for send routing information for GPRS request (packets per second).
send-route-response
integer
Rate limit for send routing information for GPRS response (packets per second).
sgsn-context-ack
integer
Rate limit for SGSN context acknowledgement (packets per second).
sgsn-context-request
integer
Rate limit for SGSN context request (packets per second).
sgsn-context-response
integer
Rate limit for SGSN context response (packets per second).
support-ext-hdr-notify
integer
Rate limit for support extension headers notification (packets per second).
update-mbms-request
integer
Rate limit for update MBMS context request (packets per second).
update-mbms-response
integer
Rate limit for update MBMS context response (packets per second).
update-pdp-request
integer
Rate limit for update PDP context request (packets per second).
update-pdp-response
integer
Rate limit for update PDP context response (packets per second).
version-not-support
integer
Rate limit for version not supported (packets per second).
message-rate-limit-v0
dictionary
no description
create-pdp-request
integer
Rate limit (packets/s) for create PDP context request.
delete-pdp-request
integer
Rate limit (packets/s) for delete PDP context request.
echo-request
integer
Rate limit (packets/s) for echo request.
message-rate-limit-v1
dictionary
no description
create-pdp-request
integer
Rate limit (packets/s) for create PDP context request.
delete-pdp-request
integer
Rate limit (packets/s) for delete PDP context request.
echo-request
integer
Rate limit (packets/s) for echo request.
message-rate-limit-v2
dictionary
no description
create-session-request
integer
Rate limit (packets/s) for create session request.
delete-session-request
integer
Rate limit (packets/s) for delete session request.
echo-request
integer
Rate limit (packets/s) for echo request.
min-message-length
integer
min message length
miss-must-ie
string
    Choices:
  • allow
  • deny
Missing mandatory information element
monitor-mode
string
    Choices:
  • disable
  • enable
  • vdom
GTP monitor mode
name
string
Profile name.
noip-filter
string
    Choices:
  • disable
  • enable
non-IP filter for encapsulted traffic
noip-policy
list / elements=string
Noip-Policy.
action
string
    Choices:
  • allow
  • deny
Action.
end
integer
End of protocol range (0 - 255).
id
integer
ID.
start
integer
Start of protocol range (0 - 255).
type
string
    Choices:
  • etsi
  • ietf
Protocol field type.
out-of-state-ie
string
    Choices:
  • allow
  • deny
Out of state information element.
out-of-state-message
string
    Choices:
  • allow
  • deny
Out of state GTP message
per-apn-shaper
list / elements=string
Per-Apn-Shaper.
apn
string
APN name.
id
integer
ID.
rate-limit
integer
Rate limit (packets/s) for create PDP context request.
version
integer
GTP version number: 0 or 1.
policy
list / elements=string
Policy.
action
string
    Choices:
  • allow
  • deny
Action.
apn-sel-mode
list / elements=string
    Choices:
  • ms
  • net
  • vrf
APN selection mode.
apnmember
string
APN member.
id
integer
ID.
imei
string
IMEI(SV) pattern.
imsi
string
IMSI prefix.
imsi-prefix
string
IMSI prefix.
max-apn-restriction
string
    Choices:
  • all
  • public-1
  • public-2
  • private-1
  • private-2
Maximum APN restriction value.
messages
list / elements=string
    Choices:
  • create-req
  • create-res
  • update-req
  • update-res
GTP messages.
msisdn
string
MSISDN prefix.
msisdn-prefix
string
MSISDN prefix.
rai
string
RAI pattern.
rat-type
list / elements=string
    Choices:
  • any
  • utran
  • geran
  • wlan
  • gan
  • hspa
  • eutran
  • virtual
  • nbiot
RAT Type.
uli
string
ULI pattern.
policy-filter
string
    Choices:
  • disable
  • enable
Advanced policy filter
policy-v2
list / elements=string
Policy-V2.
action
string
    Choices:
  • deny
  • allow
Action.
apn-sel-mode
list / elements=string
    Choices:
  • ms
  • net
  • vrf
APN selection mode.
apnmember
string
APN member.
id
integer
ID.
imsi-prefix
string
IMSI prefix.
max-apn-restriction
string
    Choices:
  • all
  • public-1
  • public-2
  • private-1
  • private-2
Maximum APN restriction value.
mei
string
MEI pattern.
messages
list / elements=string
    Choices:
  • create-ses-req
  • create-ses-res
  • modify-bearer-req
  • modify-bearer-res
GTP messages.
msisdn-prefix
string
MSISDN prefix.
rat-type
list / elements=string
    Choices:
  • any
  • utran
  • geran
  • wlan
  • gan
  • hspa
  • eutran
  • virtual
  • nbiot
  • ltem
  • nr
RAT Type.
uli
string
GTPv2 ULI patterns (in order of CGI SAI RAI TAI ECGI LAI).
port-notify
integer
overbilling notify port
rate-limit-mode
string
    Choices:
  • per-profile
  • per-stream
  • per-apn
GTP rate limit mode.
rate-limited-log
string
    Choices:
  • disable
  • enable
log rate limited
rate-sampling-interval
integer
rate sampling interval (1-3600 seconds)
remove-if-echo-expires
string
    Choices:
  • disable
  • enable
remove if echo response expires
remove-if-recovery-differ
string
    Choices:
  • disable
  • enable
remove upon different Recovery IE
reserved-ie
string
    Choices:
  • allow
  • deny
reserved information element
send-delete-when-timeout
string
    Choices:
  • disable
  • enable
send DELETE request to path endpoints when GTPv0/v1 tunnel timeout.
send-delete-when-timeout-v2
string
    Choices:
  • disable
  • enable
send DELETE request to path endpoints when GTPv2 tunnel timeout.
spoof-src-addr
string
    Choices:
  • allow
  • deny
Spoofed source address for Mobile Station.
state-invalid-log
string
    Choices:
  • disable
  • enable
log state invalid
sub-second-interval
string
    Choices:
  • 0.1
  • 0.25
  • 0.5
Sub-second interval (0.1, 0.25, or 0.5 sec, default = 0.5).
sub-second-sampling
string
    Choices:
  • disable
  • enable
Enable/disable sub-second sampling.
traffic-count-log
string
    Choices:
  • disable
  • enable
log tunnel traffic counter
tunnel-limit
integer
tunnel limit
tunnel-limit-log
string
    Choices:
  • disable
  • enable
tunnel limit
tunnel-timeout
integer
Established tunnel timeout (in seconds).
unknown-version-action
string
    Choices:
  • allow
  • deny
action for unknown gtp version
user-plane-message-rate-limit
integer
user plane message rate limit
warning-threshold
integer
Warning threshold for rate limiting (0 - 99 percent).
proposed_method
string
    Choices:
  • update
  • set
  • add
The overridden method for the underlying Json RPC request
rc_failed
list / elements=string
the rc codes list with which the conditions to fail will be overriden
rc_succeeded
list / elements=string
the rc codes list with which the conditions to succeed will be overriden
state
string / required
    Choices:
  • present
  • absent
the directive to create, update or delete an object
workspace_locking_adom
string
the adom to lock for FortiManager running in workspace mode, the value can be global and others including root
workspace_locking_timeout
integer
Default:
300
the maximum time in seconds to wait for other user to release the workspace lock

Notes

Note

  • Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.

  • To create or update an object, use state present directive.

  • To delete an object, use state absent directive.

  • Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples

- name: gathering fortimanager facts
  hosts: fortimanager00
  gather_facts: no
  connection: httpapi
  collections:
    - fortinet.fortimanager
  vars:
    ansible_httpapi_use_ssl: True
    ansible_httpapi_validate_certs: False
    ansible_httpapi_port: 443
  tasks:
   - name: retrieve all the GTPs
     fmgr_fact:
       facts:
           selector: 'firewall_gtp'
           params:
               adom: 'FortiCarrier' # This is FOC-only object, need a FortiCarrier adom
               gtp: ''
- hosts: fortimanager00
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure GTP.
     fmgr_firewall_gtp:
        bypass_validation: False
        adom: FortiCarrier # This is FOC-only object, need a FortiCarrier adom
        state: present
        firewall_gtp:
           monitor-mode: disable #<value in [disable, enable, vdom]>
           name: 'ansible-test'

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
request_url
string
always
The full url requested

Sample:
/sys/login/user
response_code
integer
always
The status of api request

response_message
string
always
The descriptive message of the api response

Sample:
OK.


Authors

  • Link Zheng (@chillancezen)

  • Jie Xue (@JieX19)

  • Frank Shen (@fshen01)

  • Hongbin Lu (@fgtdev-hblu)