fmgr_firewall_gtp – Configure GTP.¶
New in version 2.10.
Synopsis¶
- This module is able to configure a FortiManager device.
- Examples include all parameters and values need to be adjusted to data sources before usage.
- Tested with FortiManager v6.0.0.
Requirements¶
The below requirements are needed on the host that executes this module.
- ansible>=2.9.0
Parameters¶
- bypass_validation - Only set to True when module schema diffs with FortiManager API structure, module continues to execute without validating parameters type: bool required: false default: False
- workspace_locking_adom - Acquire the workspace lock if FortiManager is running in workspace mode type: str required: false choices: global, custom adom including root
- workspace_locking_timeout - The maximum time in seconds to wait for other users to release workspace lock type: integer required: false default: 300
- rc_succeeded - The rc codes list with which the conditions to succeed will be overriden type: list required: false
- rc_failed - The rc codes list with which the conditions to fail will be overriden type: list required: false
- state - The directive to create, update or delete an object type: str required: true choices: present, absent
- adom - The parameter in requested url type: str required: true
- firewall_gtp - Configure GTP. type: dict
- addr-notify - overbilling notify address type: str
- apn - No description for the parameter type: array
- action - Action. type: str choices: [allow, deny]
- apnmember - APN member. type: str
- id - ID. type: int
- selection-mode - No description for the parameter type: array choices: [ms, net, vrf]
- apn-filter - apn filter type: str choices: [disable, enable]
- authorized-ggsns - Authorized GGSN group type: str
- authorized-sgsns - Authorized SGSN group type: str
- comment - Comment. type: str
- context-id - Overbilling context. type: int
- control-plane-message-rate-limit - control plane message rate limit type: int
- default-apn-action - default apn action type: str choices: [allow, deny]
- default-imsi-action - default imsi action type: str choices: [allow, deny]
- default-ip-action - default action for encapsulated IP traffic type: str choices: [allow, deny]
- default-noip-action - default action for encapsulated non-IP traffic type: str choices: [allow, deny]
- default-policy-action - default advanced policy action type: str choices: [allow, deny]
- denied-log - log denied type: str choices: [disable, enable]
- echo-request-interval - echo request interval (in seconds) type: int
- extension-log - log in extension format type: str choices: [disable, enable]
- forwarded-log - log forwarded type: str choices: [disable, enable]
- global-tunnel-limit - Global tunnel limit. type: str
- gtp-in-gtp - gtp in gtp type: str choices: [allow, deny]
- gtpu-denied-log - Enable/disable logging of denied GTP-U packets. type: str choices: [disable, enable]
- gtpu-forwarded-log - Enable/disable logging of forwarded GTP-U packets. type: str choices: [disable, enable]
- gtpu-log-freq - Logging of frequency of GTP-U packets. type: int
- half-close-timeout - Half-close tunnel timeout (in seconds). type: int
- half-open-timeout - Half-open tunnel timeout (in seconds). type: int
- handover-group - Handover SGSN group type: str
- ie-remove-policy - No description for the parameter type: array
- id - ID. type: int
- remove-ies - No description for the parameter type: array choices: [apn-restriction, rat-type, rai, uli, imei]
- sgsn-addr - SGSN address name. type: str
- ie-remover - IE removal policy. type: str choices: [disable, enable]
- ie-white-list-v0v1 - IE white list. type: str
- ie-white-list-v2 - IE white list. type: str
- imsi - No description for the parameter type: array
- action - Action. type: str choices: [allow, deny]
- apnmember - APN member. type: str
- id - ID. type: int
- mcc-mnc - MCC MNC. type: str
- msisdn-prefix - MSISDN prefix. type: str
- selection-mode - No description for the parameter type: array choices: [ms, net, vrf]
- imsi-filter - imsi filter type: str choices: [disable, enable]
- interface-notify - overbilling interface type: str
- invalid-reserved-field - Invalid reserved field in GTP header type: str choices: [allow, deny]
- invalid-sgsns-to-log - Invalid SGSN group to be logged type: str
- ip-filter - IP filter for encapsulted traffic type: str choices: [disable, enable]
- ip-policy - No description for the parameter type: array
- action - Action. type: str choices: [allow, deny]
- dstaddr - Destination address name. type: str
- id - ID. type: int
- srcaddr - Source address name. type: str
- log-freq - Logging of frequency of GTP-C packets. type: int
- log-gtpu-limit - the user data log limit (0-512 bytes) type: int
- log-imsi-prefix - IMSI prefix for selective logging. type: str
- log-msisdn-prefix - the msisdn prefix for selective logging type: str
- max-message-length - max message length type: int
- message-filter-v0v1 - Message filter. type: str
- message-filter-v2 - Message filter. type: str
- min-message-length - min message length type: int
- miss-must-ie - Missing mandatory information element type: str choices: [allow, deny]
- monitor-mode - GTP monitor mode type: str choices: [disable, enable, vdom]
- name - Profile name. type: str
- noip-filter - non-IP filter for encapsulted traffic type: str choices: [disable, enable]
- noip-policy - No description for the parameter type: array
- action - Action. type: str choices: [allow, deny]
- end - End of protocol range (0 - 255). type: int
- id - ID. type: int
- start - Start of protocol range (0 - 255). type: int
- type - Protocol field type. type: str choices: [etsi, ietf]
- out-of-state-ie - Out of state information element. type: str choices: [allow, deny]
- out-of-state-message - Out of state GTP message type: str choices: [allow, deny]
- per-apn-shaper - No description for the parameter type: array
- apn - APN name. type: str
- id - ID. type: int
- rate-limit - Rate limit (packets/s) for create PDP context request. type: int
- version - GTP version number: 0 or 1. type: int
- policy - No description for the parameter type: array
- action - Action. type: str choices: [allow, deny]
- apn-sel-mode - No description for the parameter type: array choices: [ms, net, vrf]
- apnmember - APN member. type: str
- id - ID. type: int
- imei - IMEI(SV) pattern. type: str
- imsi - IMSI prefix. type: str
- max-apn-restriction - Maximum APN restriction value. type: str choices: [all, public-1, public-2, private-1, private-2]
- messages - No description for the parameter type: array choices: [create-req, create-res, update-req, update-res]
- msisdn - MSISDN prefix. type: str
- rai - RAI pattern. type: str
- rat-type - No description for the parameter type: array choices: [any, utran, geran, wlan, gan, hspa, eutran, virtual, nbiot]
- uli - ULI pattern. type: str
- policy-filter - Advanced policy filter type: str choices: [disable, enable]
- port-notify - overbilling notify port type: int
- rate-limit-mode - GTP rate limit mode. type: str choices: [per-profile, per-stream, per-apn]
- rate-limited-log - log rate limited type: str choices: [disable, enable]
- rate-sampling-interval - rate sampling interval (1-3600 seconds) type: int
- remove-if-echo-expires - remove if echo response expires type: str choices: [disable, enable]
- remove-if-recovery-differ - remove upon different Recovery IE type: str choices: [disable, enable]
- reserved-ie - reserved information element type: str choices: [allow, deny]
- send-delete-when-timeout - send DELETE request to path endpoints when GTPv0/v1 tunnel timeout. type: str choices: [disable, enable]
- send-delete-when-timeout-v2 - send DELETE request to path endpoints when GTPv2 tunnel timeout. type: str choices: [disable, enable]
- spoof-src-addr - Spoofed source address for Mobile Station. type: str choices: [allow, deny]
- state-invalid-log - log state invalid type: str choices: [disable, enable]
- traffic-count-log - log tunnel traffic counter type: str choices: [disable, enable]
- tunnel-limit - tunnel limit type: int
- tunnel-limit-log - tunnel limit type: str choices: [disable, enable]
- tunnel-timeout - Established tunnel timeout (in seconds). type: int
- unknown-version-action - action for unknown gtp version type: str choices: [allow, deny]
- user-plane-message-rate-limit - user plane message rate limit type: int
- warning-threshold - Warning threshold for rate limiting (0 - 99 percent). type: int
Notes¶
Note
- Running in workspace locking mode is supported in this FortiManager module, the top level parameters workspace_locking_adom and workspace_locking_timeout help do the work.
- To create or update an object, use state: present directive.
- To delete an object, use state: absent directive
- Normally, running one module can fail when a non-zero rc is returned. you can also override the conditions to fail or succeed with parameters rc_failed and rc_succeeded
Examples¶
- hosts: fortimanager-inventory
collections:
- fortinet.fortimanager
connection: httpapi
vars:
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_httpapi_port: 443
tasks:
- name: Configure GTP.
fmgr_firewall_gtp:
bypass_validation: False
workspace_locking_adom: <value in [global, custom adom including root]>
workspace_locking_timeout: 300
rc_succeeded: [0, -2, -3, ...]
rc_failed: [-2, -3, ...]
adom: <your own value>
state: <value in [present, absent]>
firewall_gtp:
addr-notify: <value of string>
apn:
-
action: <value in [allow, deny]>
apnmember: <value of string>
id: <value of integer>
selection-mode:
- ms
- net
- vrf
apn-filter: <value in [disable, enable]>
authorized-ggsns: <value of string>
authorized-sgsns: <value of string>
comment: <value of string>
context-id: <value of integer>
control-plane-message-rate-limit: <value of integer>
default-apn-action: <value in [allow, deny]>
default-imsi-action: <value in [allow, deny]>
default-ip-action: <value in [allow, deny]>
default-noip-action: <value in [allow, deny]>
default-policy-action: <value in [allow, deny]>
denied-log: <value in [disable, enable]>
echo-request-interval: <value of integer>
extension-log: <value in [disable, enable]>
forwarded-log: <value in [disable, enable]>
global-tunnel-limit: <value of string>
gtp-in-gtp: <value in [allow, deny]>
gtpu-denied-log: <value in [disable, enable]>
gtpu-forwarded-log: <value in [disable, enable]>
gtpu-log-freq: <value of integer>
half-close-timeout: <value of integer>
half-open-timeout: <value of integer>
handover-group: <value of string>
ie-remove-policy:
-
id: <value of integer>
remove-ies:
- apn-restriction
- rat-type
- rai
- uli
- imei
sgsn-addr: <value of string>
ie-remover: <value in [disable, enable]>
ie-white-list-v0v1: <value of string>
ie-white-list-v2: <value of string>
imsi:
-
action: <value in [allow, deny]>
apnmember: <value of string>
id: <value of integer>
mcc-mnc: <value of string>
msisdn-prefix: <value of string>
selection-mode:
- ms
- net
- vrf
imsi-filter: <value in [disable, enable]>
interface-notify: <value of string>
invalid-reserved-field: <value in [allow, deny]>
invalid-sgsns-to-log: <value of string>
ip-filter: <value in [disable, enable]>
ip-policy:
-
action: <value in [allow, deny]>
dstaddr: <value of string>
id: <value of integer>
srcaddr: <value of string>
log-freq: <value of integer>
log-gtpu-limit: <value of integer>
log-imsi-prefix: <value of string>
log-msisdn-prefix: <value of string>
max-message-length: <value of integer>
message-filter-v0v1: <value of string>
message-filter-v2: <value of string>
min-message-length: <value of integer>
miss-must-ie: <value in [allow, deny]>
monitor-mode: <value in [disable, enable, vdom]>
name: <value of string>
noip-filter: <value in [disable, enable]>
noip-policy:
-
action: <value in [allow, deny]>
end: <value of integer>
id: <value of integer>
start: <value of integer>
type: <value in [etsi, ietf]>
out-of-state-ie: <value in [allow, deny]>
out-of-state-message: <value in [allow, deny]>
per-apn-shaper:
-
apn: <value of string>
id: <value of integer>
rate-limit: <value of integer>
version: <value of integer>
policy:
-
action: <value in [allow, deny]>
apn-sel-mode:
- ms
- net
- vrf
apnmember: <value of string>
id: <value of integer>
imei: <value of string>
imsi: <value of string>
max-apn-restriction: <value in [all, public-1, public-2, ...]>
messages:
- create-req
- create-res
- update-req
- update-res
msisdn: <value of string>
rai: <value of string>
rat-type:
- any
- utran
- geran
- wlan
- gan
- hspa
- eutran
- virtual
- nbiot
uli: <value of string>
policy-filter: <value in [disable, enable]>
port-notify: <value of integer>
rate-limit-mode: <value in [per-profile, per-stream, per-apn]>
rate-limited-log: <value in [disable, enable]>
rate-sampling-interval: <value of integer>
remove-if-echo-expires: <value in [disable, enable]>
remove-if-recovery-differ: <value in [disable, enable]>
reserved-ie: <value in [allow, deny]>
send-delete-when-timeout: <value in [disable, enable]>
send-delete-when-timeout-v2: <value in [disable, enable]>
spoof-src-addr: <value in [allow, deny]>
state-invalid-log: <value in [disable, enable]>
traffic-count-log: <value in [disable, enable]>
tunnel-limit: <value of integer>
tunnel-limit-log: <value in [disable, enable]>
tunnel-timeout: <value of integer>
unknown-version-action: <value in [allow, deny]>
user-plane-message-rate-limit: <value of integer>
warning-threshold: <value of integer>
Return Values¶
Common return values are documented: https://docs.ansible.com/ansible/latest/reference_appendices/common_return_values.html#common-return-values, the following are the fields unique to this module:
- request_url - The full url requested returned: always type: str sample: /sys/login/user
- response_code - The status of api request returned: always type: int sample: 0
- response_message - The descriptive message of the api response returned: always type: str sample: OK
- response_data - The data body of the api response returned: optional type: list or dict