fmgr_firewall_gtp – Configure GTP.¶

New in version 2.0.0.

Synopsis
Requirements
FortiManager Version Compatibility
Parameters
Notes
Examples
Return Values
Status
Authors

Synopsis ¶

This module is able to configure a FortiManager device.
Examples include all parameters and values need to be adjusted to data sources before usage.
Tested with FortiManager v6.x and v7.x.

Requirements ¶

The below requirements are needed on the host that executes this module.

ansible>=2.9.0

FortiManager Version Compatibility ¶

6.0.0

True

6.2.0 6.2.1 6.2.2 6.2.3 6.2.5 6.2.6 6.2.7 6.2.8 6.2.9 6.2.10 6.2.11

True True True True True True True True True True True

6.4.0 6.4.1 6.4.2 6.4.3 6.4.4 6.4.5 6.4.6 6.4.7 6.4.8 6.4.9 6.4.10 6.4.11 6.4.12

True True True True True True True True True True True True True

7.0.0 7.0.1 7.0.2 7.0.3 7.0.4 7.0.5 7.0.6 7.0.7 7.0.8

True True True True True True True True True

7.2.0 7.2.1 7.2.2 7.2.3

True True True True

7.4.0

True

Parameters ¶

access_token -The token to access FortiManager without using username and password. type: str required: false
bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters. type: bool required: false default: False
enable_log - Enable/Disable logging for task. type: bool required: false default: False
forticloud_access_token - Access token of forticloud managed API users, this option is available with FortiManager later than 6.4.0. type: str required: false
proposed_method - The overridden method for the underlying Json RPC request. type: str required: false choices: set, update, add
rc_succeeded - The rc codes list with which the conditions to succeed will be overriden. type: list required: false
rc_failed - The rc codes list with which the conditions to fail will be overriden. type: list required: false
state - The directive to create, update or delete an object type: str required: true choices: present, absent
workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode. type: str required: false choices: global, custom adom including root
workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock. type: integer required: false default: 300
adom - The parameter in requested url type: str required: true
firewall_gtp - Configure GTP. type: dict

addr-notify - overbilling notify address type: str more...

apn - Apn. type: array more...

action - Action. type: str choices: [allow, deny] more...

apnmember - APN member. type: str more...

id - ID. type: int more...

selection-mode - APN selection mode. type: array choices: [ms, net, vrf] more...

apn-filter - apn filter type: str choices: [disable, enable] more...

authorized-ggsns - Authorized GGSN group type: str more...

authorized-sgsns - Authorized SGSN group type: str more...

comment - Comment. type: str more...

context-id - Overbilling context. type: int more...

control-plane-message-rate-limit - control plane message rate limit type: int more...

default-apn-action - default apn action type: str choices: [allow, deny] more...

default-imsi-action - default imsi action type: str choices: [allow, deny] more...

default-ip-action - default action for encapsulated IP traffic type: str choices: [allow, deny] more...

default-noip-action - default action for encapsulated non-IP traffic type: str choices: [allow, deny] more...

default-policy-action - default advanced policy action type: str choices: [allow, deny] more...

denied-log - log denied type: str choices: [disable, enable] more...

echo-request-interval - echo request interval (in seconds) type: int more...

extension-log - log in extension format type: str choices: [disable, enable] more...

forwarded-log - log forwarded type: str choices: [disable, enable] more...

global-tunnel-limit - Global tunnel limit. type: str more...

gtp-in-gtp - gtp in gtp type: str choices: [allow, deny] more...

gtpu-denied-log - Enable/disable logging of denied GTP-U packets. type: str choices: [disable, enable] more...

gtpu-forwarded-log - Enable/disable logging of forwarded GTP-U packets. type: str choices: [disable, enable] more...

gtpu-log-freq - Logging of frequency of GTP-U packets. type: int more...

half-close-timeout - Half-close tunnel timeout (in seconds). type: int more...

half-open-timeout - Half-open tunnel timeout (in seconds). type: int more...

handover-group - Handover SGSN group type: str more...

ie-remove-policy - Ie-Remove-Policy. type: array more...

id - ID. type: int more...

remove-ies - GTP IEs to be removed. type: array choices: [apn-restriction, rat-type, rai, uli, imei] more...

sgsn-addr - SGSN address name. type: str more...

sgsn-addr6 - SGSN IPv6 address name. type: str more...

ie-remover - IE removal policy. type: str choices: [disable, enable] more...

ie-white-list-v0v1 - IE white list. type: str more...

ie-white-list-v2 - IE white list. type: str more...

imsi - Imsi. type: array more...

action - Action. type: str choices: [allow, deny] more...

apnmember - APN member. type: str more...

id - ID. type: int more...

mcc-mnc - MCC MNC. type: str more...

msisdn-prefix - MSISDN prefix. type: str more...

selection-mode - APN selection mode. type: array choices: [ms, net, vrf] more...

imsi-filter - imsi filter type: str choices: [disable, enable] more...

interface-notify - overbilling interface type: str more...

invalid-reserved-field - Invalid reserved field in GTP header type: str choices: [allow, deny] more...

invalid-sgsns-to-log - Invalid SGSN group to be logged type: str more...

ip-filter - IP filter for encapsulted traffic type: str choices: [disable, enable] more...

ip-policy - Ip-Policy. type: array more...

action - Action. type: str choices: [allow, deny] more...

dstaddr - Destination address name. type: str more...

id - ID. type: int more...

srcaddr - Source address name. type: str more...

dstaddr6 - Destination IPv6 address name. type: str more...

srcaddr6 - Source IPv6 address name. type: str more...

log-freq - Logging of frequency of GTP-C packets. type: int more...

log-gtpu-limit - the user data log limit (0-512 bytes) type: int more...

log-imsi-prefix - IMSI prefix for selective logging. type: str more...

log-msisdn-prefix - the msisdn prefix for selective logging type: str more...

max-message-length - max message length type: int more...

message-filter-v0v1 - Message filter. type: str more...

message-filter-v2 - Message filter. type: str more...

min-message-length - min message length type: int more...

miss-must-ie - Missing mandatory information element type: str choices: [allow, deny] more...

monitor-mode - GTP monitor mode type: str choices: [disable, enable, vdom] more...

name - Profile name. type: str more...

noip-filter - non-IP filter for encapsulted traffic type: str choices: [disable, enable] more...

noip-policy - Noip-Policy. type: array more...

action - Action. type: str choices: [allow, deny] more...

end - End of protocol range (0 - 255). type: int more...

id - ID. type: int more...

start - Start of protocol range (0 - 255). type: int more...

type - Protocol field type. type: str choices: [etsi, ietf] more...

out-of-state-ie - Out of state information element. type: str choices: [allow, deny] more...

out-of-state-message - Out of state GTP message type: str choices: [allow, deny] more...

per-apn-shaper - Per-Apn-Shaper. type: array more...

apn - APN name. type: str more...

id - ID. type: int more...

rate-limit - Rate limit (packets/s) for create PDP context request. type: int more...

version - GTP version number: 0 or 1. type: int more...

policy - Policy. type: array more...

action - Action. type: str choices: [allow, deny] more...

apn-sel-mode - APN selection mode. type: array choices: [ms, net, vrf] more...

apnmember - APN member. type: str more...

id - ID. type: int more...

imei - IMEI(SV) pattern. type: str more...

imsi - IMSI prefix. type: str more...

max-apn-restriction - Maximum APN restriction value. type: str choices: [all, public-1, public-2, private-1, private-2] more...

messages - GTP messages. type: array choices: [create-req, create-res, update-req, update-res] more...

msisdn - MSISDN prefix. type: str more...

rai - RAI pattern. type: str more...

rat-type - RAT Type. type: array choices: [any, utran, geran, wlan, gan, hspa, eutran, virtual, nbiot] more...

uli - ULI pattern. type: str more...

imsi-prefix - IMSI prefix. type: str more...

msisdn-prefix - MSISDN prefix. type: str more...

apn - APN subfix. type: str more...

policy-filter - Advanced policy filter type: str choices: [disable, enable] more...

port-notify - overbilling notify port type: int more...

rate-limit-mode - GTP rate limit mode. type: str choices: [per-profile, per-stream, per-apn] more...

rate-limited-log - log rate limited type: str choices: [disable, enable] more...

rate-sampling-interval - rate sampling interval (1-3600 seconds) type: int more...

remove-if-echo-expires - remove if echo response expires type: str choices: [disable, enable] more...

remove-if-recovery-differ - remove upon different Recovery IE type: str choices: [disable, enable] more...

reserved-ie - reserved information element type: str choices: [allow, deny] more...

send-delete-when-timeout - send DELETE request to path endpoints when GTPv0/v1 tunnel timeout. type: str choices: [disable, enable] more...

send-delete-when-timeout-v2 - send DELETE request to path endpoints when GTPv2 tunnel timeout. type: str choices: [disable, enable] more...

spoof-src-addr - Spoofed source address for Mobile Station. type: str choices: [allow, deny] more...

state-invalid-log - log state invalid type: str choices: [disable, enable] more...

traffic-count-log - log tunnel traffic counter type: str choices: [disable, enable] more...

tunnel-limit - tunnel limit type: int more...

tunnel-limit-log - tunnel limit type: str choices: [disable, enable] more...

tunnel-timeout - Established tunnel timeout (in seconds). type: int more...

unknown-version-action - action for unknown gtp version type: str choices: [allow, deny] more...

user-plane-message-rate-limit - user plane message rate limit type: int more...

warning-threshold - Warning threshold for rate limiting (0 - 99 percent). type: int more...

policy-v2 - Policy-V2. type: array more...

action - Action. type: str choices: [deny, allow] more...

apn-sel-mode - APN selection mode. type: array choices: [ms, net, vrf] more...

apnmember - APN member. type: str more...

id - ID. type: int more...

imsi-prefix - IMSI prefix. type: str more...

max-apn-restriction - Maximum APN restriction value. type: str choices: [all, public-1, public-2, private-1, private-2] more...

mei - MEI pattern. type: str more...

messages - GTP messages. type: array choices: [create-ses-req, create-ses-res, modify-bearer-req, modify-bearer-res] more...

msisdn-prefix - MSISDN prefix. type: str more...

rat-type - RAT Type. type: array choices: [any, utran, geran, wlan, gan, hspa, eutran, virtual, nbiot, ltem, nr] more...

uli - GTPv2 ULI patterns (in order of CGI SAI RAI TAI ECGI LAI). type: str more...

sub-second-interval - Sub-second interval (0. type: str choices: [0.1, 0.25, 0.5] more...

sub-second-sampling - Enable/disable sub-second sampling. type: str choices: [disable, enable] more...

authorized-ggsns6 - Authorized GGSN/PGW IPv6 group. type: str more...

authorized-sgsns6 - Authorized SGSN/SGW IPv6 group. type: str more...

handover-group6 - Handover SGSN/SGW IPv6 group. type: str more...

invalid-sgsns6-to-log - Invalid SGSN IPv6 group to be logged. type: str more...

ie-validation type: dict

apn-restriction - Validate APN restriction. type: str choices: [disable, enable] more...

charging-ID - Validate charging ID. type: str choices: [disable, enable] more...

charging-gateway-addr - Validate charging gateway address. type: str choices: [disable, enable] more...

end-user-addr - Validate end user address. type: str choices: [disable, enable] more...

gsn-addr - Validate GSN address. type: str choices: [disable, enable] more...

imei - Validate IMEI(SV). type: str choices: [disable, enable] more...

imsi - Validate IMSI. type: str choices: [disable, enable] more...

mm-context - Validate MM context. type: str choices: [disable, enable] more...

ms-tzone - Validate MS time zone. type: str choices: [disable, enable] more...

ms-validated - Validate MS validated. type: str choices: [disable, enable] more...

msisdn - Validate MSISDN. type: str choices: [disable, enable] more...

nsapi - Validate NSAPI. type: str choices: [disable, enable] more...

pdp-context - Validate PDP context. type: str choices: [disable, enable] more...

qos-profile - Validate Quality of Service(QoS) profile. type: str choices: [disable, enable] more...

rai - Validate RAI. type: str choices: [disable, enable] more...

rat-type - Validate RAT type. type: str choices: [disable, enable] more...

reordering-required - Validate re-ordering required. type: str choices: [disable, enable] more...

selection-mode - Validate selection mode. type: str choices: [disable, enable] more...

uli - Validate user location information. type: str choices: [disable, enable] more...

message-rate-limit type: dict

create-aa-pdp-request - Rate limit for create AA PDP context request (packets per second). type: int more...

create-aa-pdp-response - Rate limit for create AA PDP context response (packets per second). type: int more...

create-mbms-request - Rate limit for create MBMS context request (packets per second). type: int more...

create-mbms-response - Rate limit for create MBMS context response (packets per second). type: int more...

create-pdp-request - Rate limit for create PDP context request (packets per second). type: int more...

create-pdp-response - Rate limit for create PDP context response (packets per second). type: int more...

delete-aa-pdp-request - Rate limit for delete AA PDP context request (packets per second). type: int more...

delete-aa-pdp-response - Rate limit for delete AA PDP context response (packets per second). type: int more...

delete-mbms-request - Rate limit for delete MBMS context request (packets per second). type: int more...

delete-mbms-response - Rate limit for delete MBMS context response (packets per second). type: int more...

delete-pdp-request - Rate limit for delete PDP context request (packets per second). type: int more...

delete-pdp-response - Rate limit for delete PDP context response (packets per second). type: int more...

echo-reponse - Rate limit for echo response (packets per second). type: int more...

echo-request - Rate limit for echo requests (packets per second). type: int more...

error-indication - Rate limit for error indication (packets per second). type: int more...

failure-report-request - Rate limit for failure report request (packets per second). type: int more...

failure-report-response - Rate limit for failure report response (packets per second). type: int more...

fwd-reloc-complete-ack - Rate limit for forward relocation complete acknowledge (packets per second). type: int more...

fwd-relocation-complete - Rate limit for forward relocation complete (packets per second). type: int more...

fwd-relocation-request - Rate limit for forward relocation request (packets per second). type: int more...

fwd-relocation-response - Rate limit for forward relocation response (packets per second). type: int more...

fwd-srns-context - Rate limit for forward SRNS context (packets per second). type: int more...

fwd-srns-context-ack - Rate limit for forward SRNS context acknowledge (packets per second). type: int more...

g-pdu - Rate limit for G-PDU (packets per second). type: int more...

identification-request - Rate limit for identification request (packets per second). type: int more...

identification-response - Rate limit for identification response (packets per second). type: int more...

mbms-de-reg-request - Rate limit for MBMS de-registration request (packets per second). type: int more...

mbms-de-reg-response - Rate limit for MBMS de-registration response (packets per second). type: int more...

mbms-notify-rej-request - Rate limit for MBMS notification reject request (packets per second). type: int more...

mbms-notify-rej-response - Rate limit for MBMS notification reject response (packets per second). type: int more...

mbms-notify-request - Rate limit for MBMS notification request (packets per second). type: int more...

mbms-notify-response - Rate limit for MBMS notification response (packets per second). type: int more...

mbms-reg-request - Rate limit for MBMS registration request (packets per second). type: int more...

mbms-reg-response - Rate limit for MBMS registration response (packets per second). type: int more...

mbms-ses-start-request - Rate limit for MBMS session start request (packets per second). type: int more...

mbms-ses-start-response - Rate limit for MBMS session start response (packets per second). type: int more...

mbms-ses-stop-request - Rate limit for MBMS session stop request (packets per second). type: int more...

mbms-ses-stop-response - Rate limit for MBMS session stop response (packets per second). type: int more...

note-ms-request - Rate limit for note MS GPRS present request (packets per second). type: int more...

note-ms-response - Rate limit for note MS GPRS present response (packets per second). type: int more...

pdu-notify-rej-request - Rate limit for PDU notify reject request (packets per second). type: int more...

pdu-notify-rej-response - Rate limit for PDU notify reject response (packets per second). type: int more...

pdu-notify-request - Rate limit for PDU notify request (packets per second). type: int more...

pdu-notify-response - Rate limit for PDU notify response (packets per second). type: int more...

ran-info - Rate limit for RAN information relay (packets per second). type: int more...

relocation-cancel-request - Rate limit for relocation cancel request (packets per second). type: int more...

relocation-cancel-response - Rate limit for relocation cancel response (packets per second). type: int more...

send-route-request - Rate limit for send routing information for GPRS request (packets per second). type: int more...

send-route-response - Rate limit for send routing information for GPRS response (packets per second). type: int more...

sgsn-context-ack - Rate limit for SGSN context acknowledgement (packets per second). type: int more...

sgsn-context-request - Rate limit for SGSN context request (packets per second). type: int more...

sgsn-context-response - Rate limit for SGSN context response (packets per second). type: int more...

support-ext-hdr-notify - Rate limit for support extension headers notification (packets per second). type: int more...

update-mbms-request - Rate limit for update MBMS context request (packets per second). type: int more...

update-mbms-response - Rate limit for update MBMS context response (packets per second). type: int more...

update-pdp-request - Rate limit for update PDP context request (packets per second). type: int more...

update-pdp-response - Rate limit for update PDP context response (packets per second). type: int more...

version-not-support - Rate limit for version not supported (packets per second). type: int more...

message-rate-limit-v0 type: dict

create-pdp-request - Rate limit (packets/s) for create PDP context request. type: int more...

delete-pdp-request - Rate limit (packets/s) for delete PDP context request. type: int more...

echo-request - Rate limit (packets/s) for echo request. type: int more...

message-rate-limit-v1 type: dict

create-pdp-request - Rate limit (packets/s) for create PDP context request. type: int more...

delete-pdp-request - Rate limit (packets/s) for delete PDP context request. type: int more...

echo-request - Rate limit (packets/s) for echo request. type: int more...

message-rate-limit-v2 type: dict

create-session-request - Rate limit (packets/s) for create session request. type: int more...

delete-session-request - Rate limit (packets/s) for delete session request. type: int more...

echo-request - Rate limit (packets/s) for echo request. type: int more...

ie-allow-list-v0v1 - IE allow list. type: str more...

ie-allow-list-v2 - IE allow list. type: str more...

rat-timeout-profile - RAT timeout profile. type: str more...

message-filter type: dict

create-aa-pdp - Create AA PDP. type: str choices: [allow, deny] more...

create-mbms - Create MBMS. type: str choices: [allow, deny] more...

create-pdp - Create PDP. type: str choices: [allow, deny] more...

data-record - Data record. type: str choices: [allow, deny] more...

delete-aa-pdp - Delete AA PDP. type: str choices: [allow, deny] more...

delete-mbms - Delete MBMS. type: str choices: [allow, deny] more...

delete-pdp - Delete PDP. type: str choices: [allow, deny] more...

echo - Echo. type: str choices: [allow, deny] more...

error-indication - Error indication. type: str choices: [allow, deny] more...

failure-report - Failure report. type: str choices: [allow, deny] more...

fwd-relocation - Forward relocation. type: str choices: [allow, deny] more...

fwd-srns-context - Forward SRNS context. type: str choices: [allow, deny] more...

gtp-pdu - GTP PDU. type: str choices: [allow, deny] more...

identification - Identification. type: str choices: [allow, deny] more...

mbms-notification - MBMS notification. type: str choices: [allow, deny] more...

node-alive - Node alive. type: str choices: [allow, deny] more...

note-ms-present - Note MS present. type: str choices: [allow, deny] more...

pdu-notification - PDU notification. type: str choices: [allow, deny] more...

ran-info - Ran info. type: str choices: [allow, deny] more...

redirection - Redirection. type: str choices: [allow, deny] more...

relocation-cancel - Relocation cancel. type: str choices: [allow, deny] more...

send-route - Send route. type: str choices: [allow, deny] more...

sgsn-context - SGSN context. type: str choices: [allow, deny] more...

support-extension - Support extension. type: str choices: [allow, deny] more...

unknown-message-action - Unknown message action. type: str choices: [allow, deny] more...

update-mbms - Update MBMS. type: str choices: [allow, deny] more...

update-pdp - Update PDP. type: str choices: [allow, deny] more...

version-not-support - Version not supported. type: str choices: [allow, deny] more...

Notes ¶

Note

Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
To create or update an object, use state: present directive.
To delete an object, use state: absent directive
Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded

Examples ¶

- hosts: fortimanager00
  collections:
    - fortinet.fortimanager
  connection: httpapi
  vars:
     ansible_httpapi_use_ssl: True
     ansible_httpapi_validate_certs: False
     ansible_httpapi_port: 443
  tasks:
   - name: Configure GTP.
     fmgr_firewall_gtp:
        bypass_validation: False
        adom: FortiCarrier # This is FOC-only object, need a FortiCarrier adom
        state: present
        firewall_gtp:
           monitor-mode: disable #<value in [disable, enable, vdom]>
           name: 'ansible-test'

- name: gathering fortimanager facts
  hosts: fortimanager00
  gather_facts: no
  connection: httpapi
  collections:
    - fortinet.fortimanager
  vars:
    ansible_httpapi_use_ssl: True
    ansible_httpapi_validate_certs: False
    ansible_httpapi_port: 443
  tasks:
   - name: retrieve all the GTPs
     fmgr_fact:
       facts:
           selector: 'firewall_gtp'
           params:
               adom: 'FortiCarrier' # This is FOC-only object, need a FortiCarrier adom
               gtp: 'your_value'

Return Values ¶

Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:

meta - The result of the request.returned: always type: dict

request_url - The full url requested. returned: always type: str sample: /sys/login/user
response_code - The status of api request. returned: always type: int sample: 0
response_data - The data body of the api response. returned: optional type: list or dict
response_message - The descriptive message of the api response. returned: always type: str sample: OK
system_information - The information of the target system. returned: always type: dict

rc - The status the request. returned: always type: int 0
version_check_warning - Warning if the parameters used in the playbook are not supported by the current FortiManager version. returned: if at least on parameter mpt supported by the current FortiManager version type: list 0

Status ¶

This module is not guaranteed to have a backwards compatible interface.

Authors ¶

Xinwei Du (@dux-fortinet)
Xing Li (@lix-fortinet)
Jie Xue (@JieX19)
Link Zheng (@chillancezen)
Frank Shen (@fshen01)
Hongbin Lu (@fgtdev-hblu)

Hint

If you notice any issues in this documentation, you can create a pull request to improve it.