fmgr_secprof_voip – VOIP security profiles in FMG

New in version 2.8.

Synopsis

  • Manage VOIP security profiles in FortiManager via API

Parameters

Parameter Choices/Defaults Comments
adom
-
Default:
"root"
The ADOM the configuration should belong to.
comment
-
Comment.
mode
-
    Choices:
  • add
  • set
  • delete
  • update
Sets one of three modes for managing the object.
Allows use of soft-adds instead of overwriting existing values
name
-
Profile name.
sccp
-
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
sccp_block_mcast
-
    Choices:
  • disable
  • enable
Enable/disable block multicast RTP connections.
choice | disable | Disable status.
choice | enable | Enable status.
sccp_log_call_summary
-
    Choices:
  • disable
  • enable
Enable/disable log summary of SCCP calls.
choice | disable | Disable status.
choice | enable | Enable status.
sccp_log_violations
-
    Choices:
  • disable
  • enable
Enable/disable logging of SCCP violations.
choice | disable | Disable status.
choice | enable | Enable status.
sccp_max_calls
-
Maximum calls per minute per SCCP client (max 65535).
sccp_status
-
    Choices:
  • disable
  • enable
Enable/disable SCCP.
choice | disable | Disable status.
choice | enable | Enable status.
sccp_verify_header
-
    Choices:
  • disable
  • enable
Enable/disable verify SCCP header content.
choice | disable | Disable status.
choice | enable | Enable status.
sip
-
EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
List of multiple child objects to be added. Expects a list of dictionaries.
Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
If submitted, all other prefixed sub-parameters ARE IGNORED.
This object is MUTUALLY EXCLUSIVE with its options.
We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide.
WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS
sip_ack_rate
-
ACK request rate limit (per second, per policy).
sip_block_ack
-
    Choices:
  • disable
  • enable
Enable/disable block ACK requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_bye
-
    Choices:
  • disable
  • enable
Enable/disable block BYE requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_cancel
-
    Choices:
  • disable
  • enable
Enable/disable block CANCEL requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_geo_red_options
-
    Choices:
  • disable
  • enable
Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_info
-
    Choices:
  • disable
  • enable
Enable/disable block INFO requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_invite
-
    Choices:
  • disable
  • enable
Enable/disable block INVITE requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_long_lines
-
    Choices:
  • disable
  • enable
Enable/disable block requests with headers exceeding max-line-length.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_message
-
    Choices:
  • disable
  • enable
Enable/disable block MESSAGE requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_notify
-
    Choices:
  • disable
  • enable
Enable/disable block NOTIFY requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_options
-
    Choices:
  • disable
  • enable
Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_prack
-
    Choices:
  • disable
  • enable
Enable/disable block prack requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_publish
-
    Choices:
  • disable
  • enable
Enable/disable block PUBLISH requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_refer
-
    Choices:
  • disable
  • enable
Enable/disable block REFER requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_register
-
    Choices:
  • disable
  • enable
Enable/disable block REGISTER requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_subscribe
-
    Choices:
  • disable
  • enable
Enable/disable block SUBSCRIBE requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_unknown
-
    Choices:
  • disable
  • enable
Block unrecognized SIP requests (enabled by default).
choice | disable | Disable status.
choice | enable | Enable status.
sip_block_update
-
    Choices:
  • disable
  • enable
Enable/disable block UPDATE requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_bye_rate
-
BYE request rate limit (per second, per policy).
sip_call_keepalive
-
Continue tracking calls with no RTP for this many minutes.
sip_cancel_rate
-
CANCEL request rate limit (per second, per policy).
sip_contact_fixup
-
    Choices:
  • disable
  • enable
Fixup contact anyway even if contact's IP|port doesn't match session's IP|port.
choice | disable | Disable status.
choice | enable | Enable status.
sip_hnt_restrict_source_ip
-
    Choices:
  • disable
  • enable
Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled.
choice | disable | Disable status.
choice | enable | Enable status.
sip_hosted_nat_traversal
-
    Choices:
  • disable
  • enable
Hosted NAT Traversal (HNT).
choice | disable | Disable status.
choice | enable | Enable status.
sip_info_rate
-
INFO request rate limit (per second, per policy).
sip_invite_rate
-
INVITE request rate limit (per second, per policy).
sip_ips_rtp
-
    Choices:
  • disable
  • enable
Enable/disable allow IPS on RTP.
choice | disable | Disable status.
choice | enable | Enable status.
sip_log_call_summary
-
    Choices:
  • disable
  • enable
Enable/disable logging of SIP call summary.
choice | disable | Disable status.
choice | enable | Enable status.
sip_log_violations
-
    Choices:
  • disable
  • enable
Enable/disable logging of SIP violations.
choice | disable | Disable status.
choice | enable | Enable status.
sip_malformed_header_allow
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Allow header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_call_id
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Call-ID header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_contact
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Contact header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_content_length
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Content-Length header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_content_type
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Content-Type header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_cseq
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed CSeq header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_expires
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Expires header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_from
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed From header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_max_forwards
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Max-Forwards header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_p_asserted_identity
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed P-Asserted-Identity header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_rack
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed RAck header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_record_route
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Record-Route header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_route
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed Route header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_rseq
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed RSeq header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_a
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP a line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_b
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP b line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_c
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP c line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_i
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP i line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_k
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP k line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_m
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP m line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_o
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP o line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_r
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP r line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_s
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP s line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_t
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP t line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_v
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP v line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_sdp_z
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed SDP z line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_to
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed To header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_header_via
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed VIA header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_malformed_request_line
-
    Choices:
  • pass
  • discard
  • respond
Action for malformed request line.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_max_body_length
-
Maximum SIP message body length (0 meaning no limit).
sip_max_dialogs
-
Maximum number of concurrent calls/dialogs (per policy).
sip_max_idle_dialogs
-
Maximum number established but idle dialogs to retain (per policy).
sip_max_line_length
-
Maximum SIP header line length (78-4096).
sip_message_rate
-
MESSAGE request rate limit (per second, per policy).
sip_nat_trace
-
    Choices:
  • disable
  • enable
Enable/disable preservation of original IP in SDP i line.
choice | disable | Disable status.
choice | enable | Enable status.
sip_no_sdp_fixup
-
    Choices:
  • disable
  • enable
Enable/disable no SDP fix-up.
choice | disable | Disable status.
choice | enable | Enable status.
sip_notify_rate
-
NOTIFY request rate limit (per second, per policy).
sip_open_contact_pinhole
-
    Choices:
  • disable
  • enable
Enable/disable open pinhole for non-REGISTER Contact port.
choice | disable | Disable status.
choice | enable | Enable status.
sip_open_record_route_pinhole
-
    Choices:
  • disable
  • enable
Enable/disable open pinhole for Record-Route port.
choice | disable | Disable status.
choice | enable | Enable status.
sip_open_register_pinhole
-
    Choices:
  • disable
  • enable
Enable/disable open pinhole for REGISTER Contact port.
choice | disable | Disable status.
choice | enable | Enable status.
sip_open_via_pinhole
-
    Choices:
  • disable
  • enable
Enable/disable open pinhole for Via port.
choice | disable | Disable status.
choice | enable | Enable status.
sip_options_rate
-
OPTIONS request rate limit (per second, per policy).
sip_prack_rate
-
PRACK request rate limit (per second, per policy).
sip_preserve_override
-
    Choices:
  • disable
  • enable
Override i line to preserve original IPS (default| append).
choice | disable | Disable status.
choice | enable | Enable status.
sip_provisional_invite_expiry_time
-
Expiry time for provisional INVITE (10 - 3600 sec).
sip_publish_rate
-
PUBLISH request rate limit (per second, per policy).
sip_refer_rate
-
REFER request rate limit (per second, per policy).
sip_register_contact_trace
-
    Choices:
  • disable
  • enable
Enable/disable trace original IP/port within the contact header of REGISTER requests.
choice | disable | Disable status.
choice | enable | Enable status.
sip_register_rate
-
REGISTER request rate limit (per second, per policy).
sip_rfc2543_branch
-
    Choices:
  • disable
  • enable
Enable/disable support via branch compliant with RFC 2543.
choice | disable | Disable status.
choice | enable | Enable status.
sip_rtp
-
    Choices:
  • disable
  • enable
Enable/disable create pinholes for RTP traffic to traverse firewall.
choice | disable | Disable status.
choice | enable | Enable status.
sip_ssl_algorithm
-
    Choices:
  • high
  • medium
  • low
Relative strength of encryption algorithms accepted in negotiation.
choice | high | High encryption. Allow only AES and ChaCha.
choice | medium | Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
choice | low | Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
sip_ssl_auth_client
-
Require a client certificate and authenticate it with the peer/peergrp.
sip_ssl_auth_server
-
Authenticate the server's certificate with the peer/peergrp.
sip_ssl_client_certificate
-
Name of Certificate to offer to server if requested.
sip_ssl_client_renegotiation
-
    Choices:
  • allow
  • deny
  • secure
Allow/block client renegotiation by server.
choice | allow | Allow a SSL client to renegotiate.
choice | deny | Abort any SSL connection that attempts to renegotiate.
choice | secure | Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication.
sip_ssl_max_version
-
    Choices:
  • ssl-3.0
  • tls-1.0
  • tls-1.1
  • tls-1.2
Highest SSL/TLS version to negotiate.
choice | ssl-3.0 | SSL 3.0.
choice | tls-1.0 | TLS 1.0.
choice | tls-1.1 | TLS 1.1.
choice | tls-1.2 | TLS 1.2.
sip_ssl_min_version
-
    Choices:
  • ssl-3.0
  • tls-1.0
  • tls-1.1
  • tls-1.2
Lowest SSL/TLS version to negotiate.
choice | ssl-3.0 | SSL 3.0.
choice | tls-1.0 | TLS 1.0.
choice | tls-1.1 | TLS 1.1.
choice | tls-1.2 | TLS 1.2.
sip_ssl_mode
-
    Choices:
  • off
  • full
SSL/TLS mode for encryption & decryption of traffic.
choice | off | No SSL.
choice | full | Client to FortiGate and FortiGate to Server SSL.
sip_ssl_pfs
-
    Choices:
  • require
  • deny
  • allow
SSL Perfect Forward Secrecy.
choice | require | PFS mandatory.
choice | deny | PFS rejected.
choice | allow | PFS allowed.
sip_ssl_send_empty_frags
-
    Choices:
  • disable
  • enable
Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
choice | disable | Do not send empty fragments.
choice | enable | Send empty fragments.
sip_ssl_server_certificate
-
Name of Certificate return to the client in every SSL connection.
sip_status
-
    Choices:
  • disable
  • enable
Enable/disable SIP.
choice | disable | Disable status.
choice | enable | Enable status.
sip_strict_register
-
    Choices:
  • disable
  • enable
Enable/disable only allow the registrar to connect.
choice | disable | Disable status.
choice | enable | Enable status.
sip_subscribe_rate
-
SUBSCRIBE request rate limit (per second, per policy).
sip_unknown_header
-
    Choices:
  • pass
  • discard
  • respond
Action for unknown SIP header.
choice | pass | Bypass malformed messages.
choice | discard | Discard malformed messages.
choice | respond | Respond with error code.
sip_update_rate
-
UPDATE request rate limit (per second, per policy).

Notes

Examples

- name: DELETE Profile
  fmgr_secprof_voip:
    name: "Ansible_VOIP_Profile"
    mode: "delete"

- name: Create FMGR_VOIP_PROFILE
  fmgr_secprof_voip:
    mode: "set"
    adom: "root"
    name: "Ansible_VOIP_Profile"
    comment: "Created by Ansible"
    sccp: {block-mcast: "enable", log-call-summary: "enable", log-violations: "enable", status: "enable"}

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
api_result
string
always
full API response, includes status code and message



Status

Authors

  • Luke Weighall (@lweighall)
  • Andrew Welsh (@Ghilli3)
  • Jim Huber (@p4r4n0y1ng)

Hint

If you notice any issues in this documentation you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/fmgr_secprof_voip_module.html