fmgr_secprof_voip – VOIP security profiles in FMG
New in version 2.8.
Synopsis
- Manage VOIP security profiles in FortiManager via API
Parameters
Parameter | Choices/Defaults | Comments |
---|---|---|
adom - | Default: "root" | The ADOM the configuration should belong to. |
comment - | Comment. | |
mode - |
| Sets one of three modes for managing the object. Allows use of soft-adds instead of overwriting existing values |
name - | Profile name. | |
sccp - | EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! List of multiple child objects to be added. Expects a list of dictionaries. Dictionaries must use FortiManager API parameters, not the ansible ones listed below. If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS | |
sccp_block_mcast - |
| Enable/disable block multicast RTP connections. choice | disable | Disable status. choice | enable | Enable status. |
sccp_log_call_summary - |
| Enable/disable log summary of SCCP calls. choice | disable | Disable status. choice | enable | Enable status. |
sccp_log_violations - |
| Enable/disable logging of SCCP violations. choice | disable | Disable status. choice | enable | Enable status. |
sccp_max_calls - | Maximum calls per minute per SCCP client (max 65535). | |
sccp_status - |
| Enable/disable SCCP. choice | disable | Disable status. choice | enable | Enable status. |
sccp_verify_header - |
| Enable/disable verify SCCP header content. choice | disable | Disable status. choice | enable | Enable status. |
sip - | EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED! List of multiple child objects to be added. Expects a list of dictionaries. Dictionaries must use FortiManager API parameters, not the ansible ones listed below. If submitted, all other prefixed sub-parameters ARE IGNORED. This object is MUTUALLY EXCLUSIVE with its options. We expect that you know what you are doing with these list parameters, and are leveraging the JSON API Guide. WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE TASKS | |
sip_ack_rate - | ACK request rate limit (per second, per policy). | |
sip_block_ack - |
| Enable/disable block ACK requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_bye - |
| Enable/disable block BYE requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_cancel - |
| Enable/disable block CANCEL requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_geo_red_options - |
| Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_info - |
| Enable/disable block INFO requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_invite - |
| Enable/disable block INVITE requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_long_lines - |
| Enable/disable block requests with headers exceeding max-line-length. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_message - |
| Enable/disable block MESSAGE requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_notify - |
| Enable/disable block NOTIFY requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_options - |
| Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy either. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_prack - |
| Enable/disable block prack requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_publish - |
| Enable/disable block PUBLISH requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_refer - |
| Enable/disable block REFER requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_register - |
| Enable/disable block REGISTER requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_subscribe - |
| Enable/disable block SUBSCRIBE requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_block_unknown - |
| Block unrecognized SIP requests (enabled by default). choice | disable | Disable status. choice | enable | Enable status. |
sip_block_update - |
| Enable/disable block UPDATE requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_bye_rate - | BYE request rate limit (per second, per policy). | |
sip_call_keepalive - | Continue tracking calls with no RTP for this many minutes. | |
sip_cancel_rate - | CANCEL request rate limit (per second, per policy). | |
sip_contact_fixup - |
| Fixup contact anyway even if contact's IP|port doesn't match session's IP|port. choice | disable | Disable status. choice | enable | Enable status. |
sip_hnt_restrict_source_ip - |
| Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is enabled. choice | disable | Disable status. choice | enable | Enable status. |
sip_hosted_nat_traversal - |
| Hosted NAT Traversal (HNT). choice | disable | Disable status. choice | enable | Enable status. |
sip_info_rate - | INFO request rate limit (per second, per policy). | |
sip_invite_rate - | INVITE request rate limit (per second, per policy). | |
sip_ips_rtp - |
| Enable/disable allow IPS on RTP. choice | disable | Disable status. choice | enable | Enable status. |
sip_log_call_summary - |
| Enable/disable logging of SIP call summary. choice | disable | Disable status. choice | enable | Enable status. |
sip_log_violations - |
| Enable/disable logging of SIP violations. choice | disable | Disable status. choice | enable | Enable status. |
sip_malformed_header_allow - |
| Action for malformed Allow header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_call_id - |
| Action for malformed Call-ID header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_contact - |
| Action for malformed Contact header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_content_length - |
| Action for malformed Content-Length header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_content_type - |
| Action for malformed Content-Type header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_cseq - |
| Action for malformed CSeq header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_expires - |
| Action for malformed Expires header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_from - |
| Action for malformed From header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_max_forwards - |
| Action for malformed Max-Forwards header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_p_asserted_identity - |
| Action for malformed P-Asserted-Identity header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_rack - |
| Action for malformed RAck header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_record_route - |
| Action for malformed Record-Route header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_route - |
| Action for malformed Route header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_rseq - |
| Action for malformed RSeq header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_a - |
| Action for malformed SDP a line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_b - |
| Action for malformed SDP b line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_c - |
| Action for malformed SDP c line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_i - |
| Action for malformed SDP i line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_k - |
| Action for malformed SDP k line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_m - |
| Action for malformed SDP m line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_o - |
| Action for malformed SDP o line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_r - |
| Action for malformed SDP r line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_s - |
| Action for malformed SDP s line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_t - |
| Action for malformed SDP t line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_v - |
| Action for malformed SDP v line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_sdp_z - |
| Action for malformed SDP z line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_to - |
| Action for malformed To header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_header_via - |
| Action for malformed VIA header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_malformed_request_line - |
| Action for malformed request line. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_max_body_length - | Maximum SIP message body length (0 meaning no limit). | |
sip_max_dialogs - | Maximum number of concurrent calls/dialogs (per policy). | |
sip_max_idle_dialogs - | Maximum number established but idle dialogs to retain (per policy). | |
sip_max_line_length - | Maximum SIP header line length (78-4096). | |
sip_message_rate - | MESSAGE request rate limit (per second, per policy). | |
sip_nat_trace - |
| Enable/disable preservation of original IP in SDP i line. choice | disable | Disable status. choice | enable | Enable status. |
sip_no_sdp_fixup - |
| Enable/disable no SDP fix-up. choice | disable | Disable status. choice | enable | Enable status. |
sip_notify_rate - | NOTIFY request rate limit (per second, per policy). | |
sip_open_contact_pinhole - |
| Enable/disable open pinhole for non-REGISTER Contact port. choice | disable | Disable status. choice | enable | Enable status. |
sip_open_record_route_pinhole - |
| Enable/disable open pinhole for Record-Route port. choice | disable | Disable status. choice | enable | Enable status. |
sip_open_register_pinhole - |
| Enable/disable open pinhole for REGISTER Contact port. choice | disable | Disable status. choice | enable | Enable status. |
sip_open_via_pinhole - |
| Enable/disable open pinhole for Via port. choice | disable | Disable status. choice | enable | Enable status. |
sip_options_rate - | OPTIONS request rate limit (per second, per policy). | |
sip_prack_rate - | PRACK request rate limit (per second, per policy). | |
sip_preserve_override - |
| Override i line to preserve original IPS (default| append). choice | disable | Disable status. choice | enable | Enable status. |
sip_provisional_invite_expiry_time - | Expiry time for provisional INVITE (10 - 3600 sec). | |
sip_publish_rate - | PUBLISH request rate limit (per second, per policy). | |
sip_refer_rate - | REFER request rate limit (per second, per policy). | |
sip_register_contact_trace - |
| Enable/disable trace original IP/port within the contact header of REGISTER requests. choice | disable | Disable status. choice | enable | Enable status. |
sip_register_rate - | REGISTER request rate limit (per second, per policy). | |
sip_rfc2543_branch - |
| Enable/disable support via branch compliant with RFC 2543. choice | disable | Disable status. choice | enable | Enable status. |
sip_rtp - |
| Enable/disable create pinholes for RTP traffic to traverse firewall. choice | disable | Disable status. choice | enable | Enable status. |
sip_ssl_algorithm - |
| Relative strength of encryption algorithms accepted in negotiation. choice | high | High encryption. Allow only AES and ChaCha. choice | medium | Medium encryption. Allow AES, ChaCha, 3DES, and RC4. choice | low | Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES. |
sip_ssl_auth_client - | Require a client certificate and authenticate it with the peer/peergrp. | |
sip_ssl_auth_server - | Authenticate the server's certificate with the peer/peergrp. | |
sip_ssl_client_certificate - | Name of Certificate to offer to server if requested. | |
sip_ssl_client_renegotiation - |
| Allow/block client renegotiation by server. choice | allow | Allow a SSL client to renegotiate. choice | deny | Abort any SSL connection that attempts to renegotiate. choice | secure | Reject any SSL connection that does not offer a RFC 5746 Secure Renegotiation Indication. |
sip_ssl_max_version - |
| Highest SSL/TLS version to negotiate. choice | ssl-3.0 | SSL 3.0. choice | tls-1.0 | TLS 1.0. choice | tls-1.1 | TLS 1.1. choice | tls-1.2 | TLS 1.2. |
sip_ssl_min_version - |
| Lowest SSL/TLS version to negotiate. choice | ssl-3.0 | SSL 3.0. choice | tls-1.0 | TLS 1.0. choice | tls-1.1 | TLS 1.1. choice | tls-1.2 | TLS 1.2. |
sip_ssl_mode - |
| SSL/TLS mode for encryption & decryption of traffic. choice | off | No SSL. choice | full | Client to FortiGate and FortiGate to Server SSL. |
sip_ssl_pfs - |
| SSL Perfect Forward Secrecy. choice | require | PFS mandatory. choice | deny | PFS rejected. choice | allow | PFS allowed. |
sip_ssl_send_empty_frags - |
| Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only). choice | disable | Do not send empty fragments. choice | enable | Send empty fragments. |
sip_ssl_server_certificate - | Name of Certificate return to the client in every SSL connection. | |
sip_status - |
| Enable/disable SIP. choice | disable | Disable status. choice | enable | Enable status. |
sip_strict_register - |
| Enable/disable only allow the registrar to connect. choice | disable | Disable status. choice | enable | Enable status. |
sip_subscribe_rate - | SUBSCRIBE request rate limit (per second, per policy). | |
sip_unknown_header - |
| Action for unknown SIP header. choice | pass | Bypass malformed messages. choice | discard | Discard malformed messages. choice | respond | Respond with error code. |
sip_update_rate - | UPDATE request rate limit (per second, per policy). |
Notes
Note
- Full Documentation at https://ftnt-ansible-docs.readthedocs.io/en/latest/.
Examples
- name: DELETE Profile fmgr_secprof_voip: name: "Ansible_VOIP_Profile" mode: "delete" - name: Create FMGR_VOIP_PROFILE fmgr_secprof_voip: mode: "set" adom: "root" name: "Ansible_VOIP_Profile" comment: "Created by Ansible" sccp: {block-mcast: "enable", log-call-summary: "enable", log-violations: "enable", status: "enable"}
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
api_result string | always | full API response, includes status code and message |
Status
- This module is not guaranteed to have a backwards compatible interface. [preview]
- This module is maintained by the Ansible Community. [community]
Authors
- Luke Weighall (@lweighall)
- Andrew Welsh (@Ghilli3)
- Jim Huber (@p4r4n0y1ng)
Hint
If you notice any issues in this documentation, you can edit this document to improve it.
© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.9/modules/fmgr_secprof_voip_module.html