Try SpotterVOIP security profiles in FMG
Authors: Luke Weighall (@lweighall), Andrew Welsh (@Ghilli3), Jim Huber (@p4r4n0y1ng)
preview | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Manage VOIP security profiles in FortiManager via API
- name: DELETE Profile
fmgr_secprof_voip:
name: "Ansible_VOIP_Profile"
mode: "delete"
- name: Create FMGR_VOIP_PROFILE
fmgr_secprof_voip:
mode: "set"
adom: "root"
name: "Ansible_VOIP_Profile"
comment: "Created by Ansible"
sccp: {block-mcast: "enable", log-call-summary: "enable", log-violations: "enable", status: "enable"}
sip:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
adom:
default: root
description:
- The ADOM the configuration should belong to.
required: false
mode:
choices:
- add
- set
- delete
- update
default: add
description:
- Sets one of three modes for managing the object.
- Allows use of soft-adds instead of overwriting existing values
required: false
name:
description:
- Profile name.
required: false
sccp:
description:
- EXPERTS ONLY! KNOWLEDGE OF FMGR JSON API IS REQUIRED!
- List of multiple child objects to be added. Expects a list of dictionaries.
- Dictionaries must use FortiManager API parameters, not the ansible ones listed below.
- If submitted, all other prefixed sub-parameters ARE IGNORED.
- This object is MUTUALLY EXCLUSIVE with its options.
- We expect that you know what you are doing with these list parameters, and are leveraging
the JSON API Guide.
- WHEN IN DOUBT, USE THE SUB OPTIONS BELOW INSTEAD TO CREATE OBJECTS WITH MULTIPLE
TASKS
required: false
comment:
description:
- Comment.
required: false
sip_rtp:
choices:
- disable
- enable
description:
- Enable/disable create pinholes for RTP traffic to traverse firewall.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_status:
choices:
- disable
- enable
description:
- Enable/disable SIP.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sccp_status:
choices:
- disable
- enable
description:
- Enable/disable SCCP.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_ips_rtp:
choices:
- disable
- enable
description:
- Enable/disable allow IPS on RTP.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_ssl_pfs:
choices:
- require
- deny
- allow
description:
- SSL Perfect Forward Secrecy.
- choice | require | PFS mandatory.
- choice | deny | PFS rejected.
- choice | allow | PFS allowed.
required: false
sip_ack_rate:
description:
- ACK request rate limit (per second, per policy).
required: false
sip_bye_rate:
description:
- BYE request rate limit (per second, per policy).
required: false
sip_ssl_mode:
choices:
- 'off'
- full
description:
- SSL/TLS mode for encryption & decryption of traffic.
- choice | off | No SSL.
- choice | full | Client to FortiGate and FortiGate to Server SSL.
required: false
sip_block_ack:
choices:
- disable
- enable
description:
- Enable/disable block ACK requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_bye:
choices:
- disable
- enable
description:
- Enable/disable block BYE requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_info_rate:
description:
- INFO request rate limit (per second, per policy).
required: false
sip_nat_trace:
choices:
- disable
- enable
description:
- Enable/disable preservation of original IP in SDP i line.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sccp_max_calls:
description:
- Maximum calls per minute per SCCP client (max 65535).
required: false
sip_block_info:
choices:
- disable
- enable
description:
- Enable/disable block INFO requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_prack_rate:
description:
- PRACK request rate limit (per second, per policy).
required: false
sip_refer_rate:
description:
- REFER request rate limit (per second, per policy).
required: false
sip_block_prack:
choices:
- disable
- enable
description:
- Enable/disable block prack requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_refer:
choices:
- disable
- enable
description:
- Enable/disable block REFER requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_cancel_rate:
description:
- CANCEL request rate limit (per second, per policy).
required: false
sip_invite_rate:
description:
- INVITE request rate limit (per second, per policy).
required: false
sip_max_dialogs:
description:
- Maximum number of concurrent calls/dialogs (per policy).
required: false
sip_notify_rate:
description:
- NOTIFY request rate limit (per second, per policy).
required: false
sip_update_rate:
description:
- UPDATE request rate limit (per second, per policy).
required: false
sccp_block_mcast:
choices:
- disable
- enable
description:
- Enable/disable block multicast RTP connections.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_cancel:
choices:
- disable
- enable
description:
- Enable/disable block CANCEL requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_invite:
choices:
- disable
- enable
description:
- Enable/disable block INVITE requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_notify:
choices:
- disable
- enable
description:
- Enable/disable block NOTIFY requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_update:
choices:
- disable
- enable
description:
- Enable/disable block UPDATE requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_message_rate:
description:
- MESSAGE request rate limit (per second, per policy).
required: false
sip_no_sdp_fixup:
choices:
- disable
- enable
description:
- Enable/disable no SDP fix-up.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_options_rate:
description:
- OPTIONS request rate limit (per second, per policy).
required: false
sip_publish_rate:
description:
- PUBLISH request rate limit (per second, per policy).
required: false
sip_block_message:
choices:
- disable
- enable
description:
- Enable/disable block MESSAGE requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_options:
choices:
- disable
- enable
description:
- Enable/disable block OPTIONS requests and no OPTIONS as notifying message for redundancy
either.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_publish:
choices:
- disable
- enable
description:
- Enable/disable block PUBLISH requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_unknown:
choices:
- disable
- enable
description:
- Block unrecognized SIP requests (enabled by default).
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_contact_fixup:
choices:
- disable
- enable
description:
- Fixup contact anyway even if contact's IP|port doesn't match session's IP|port.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_register_rate:
description:
- REGISTER request rate limit (per second, per policy).
required: false
sip_ssl_algorithm:
choices:
- high
- medium
- low
description:
- Relative strength of encryption algorithms accepted in negotiation.
- choice | high | High encryption. Allow only AES and ChaCha.
- choice | medium | Medium encryption. Allow AES, ChaCha, 3DES, and RC4.
- choice | low | Low encryption. Allow AES, ChaCha, 3DES, RC4, and DES.
required: false
sccp_verify_header:
choices:
- disable
- enable
description:
- Enable/disable verify SCCP header content.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_register:
choices:
- disable
- enable
description:
- Enable/disable block REGISTER requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_call_keepalive:
description:
- Continue tracking calls with no RTP for this many minutes.
required: false
sip_log_violations:
choices:
- disable
- enable
description:
- Enable/disable logging of SIP violations.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_rfc2543_branch:
choices:
- disable
- enable
description:
- Enable/disable support via branch compliant with RFC 2543.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_subscribe_rate:
description:
- SUBSCRIBE request rate limit (per second, per policy).
required: false
sip_unknown_header:
choices:
- pass
- discard
- respond
description:
- Action for unknown SIP header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sccp_log_violations:
choices:
- disable
- enable
description:
- Enable/disable logging of SCCP violations.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_subscribe:
choices:
- disable
- enable
description:
- Enable/disable block SUBSCRIBE requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_max_body_length:
description:
- Maximum SIP message body length (0 meaning no limit).
required: false
sip_max_line_length:
description:
- Maximum SIP header line length (78-4096).
required: false
sip_ssl_auth_client:
description:
- Require a client certificate and authenticate it with the peer/peergrp.
required: false
sip_ssl_auth_server:
description:
- Authenticate the server's certificate with the peer/peergrp.
required: false
sip_ssl_max_version:
choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
description:
- Highest SSL/TLS version to negotiate.
- choice | ssl-3.0 | SSL 3.0.
- choice | tls-1.0 | TLS 1.0.
- choice | tls-1.1 | TLS 1.1.
- choice | tls-1.2 | TLS 1.2.
required: false
sip_ssl_min_version:
choices:
- ssl-3.0
- tls-1.0
- tls-1.1
- tls-1.2
description:
- Lowest SSL/TLS version to negotiate.
- choice | ssl-3.0 | SSL 3.0.
- choice | tls-1.0 | TLS 1.0.
- choice | tls-1.1 | TLS 1.1.
- choice | tls-1.2 | TLS 1.2.
required: false
sip_strict_register:
choices:
- disable
- enable
description:
- Enable/disable only allow the registrar to connect.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_block_long_lines:
choices:
- disable
- enable
description:
- Enable/disable block requests with headers exceeding max-line-length.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_log_call_summary:
choices:
- disable
- enable
description:
- Enable/disable logging of SIP call summary.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_max_idle_dialogs:
description:
- Maximum number established but idle dialogs to retain (per policy).
required: false
sip_open_via_pinhole:
choices:
- disable
- enable
description:
- Enable/disable open pinhole for Via port.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sccp_log_call_summary:
choices:
- disable
- enable
description:
- Enable/disable log summary of SCCP calls.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_preserve_override:
choices:
- disable
- enable
description:
- Override i line to preserve original IPS (default| append).
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_malformed_header_to:
choices:
- pass
- discard
- respond
description:
- Action for malformed To header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_hosted_nat_traversal:
choices:
- disable
- enable
description:
- Hosted NAT Traversal (HNT).
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_malformed_header_via:
choices:
- pass
- discard
- respond
description:
- Action for malformed VIA header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_open_contact_pinhole:
choices:
- disable
- enable
description:
- Enable/disable open pinhole for non-REGISTER Contact port.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_ssl_send_empty_frags:
choices:
- disable
- enable
description:
- Send empty fragments to avoid attack on CBC IV (SSL 3.0 & TLS 1.0 only).
- choice | disable | Do not send empty fragments.
- choice | enable | Send empty fragments.
required: false
sip_block_geo_red_options:
choices:
- disable
- enable
description:
- Enable/disable block OPTIONS requests, but OPTIONS requests still notify for redundancy.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_malformed_header_cseq:
choices:
- pass
- discard
- respond
description:
- Action for malformed CSeq header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_from:
choices:
- pass
- discard
- respond
description:
- Action for malformed From header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_rack:
choices:
- pass
- discard
- respond
description:
- Action for malformed RAck header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_rseq:
choices:
- pass
- discard
- respond
description:
- Action for malformed RSeq header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_open_register_pinhole:
choices:
- disable
- enable
description:
- Enable/disable open pinhole for REGISTER Contact port.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_hnt_restrict_source_ip:
choices:
- disable
- enable
description:
- Enable/disable restrict RTP source IP to be the same as SIP source IP when HNT is
enabled.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_malformed_header_allow:
choices:
- pass
- discard
- respond
description:
- Action for malformed Allow header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_route:
choices:
- pass
- discard
- respond
description:
- Action for malformed Route header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_a:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP a line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_b:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP b line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_c:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP c line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_i:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP i line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_k:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP k line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_m:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP m line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_o:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP o line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_r:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP r line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_s:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP s line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_t:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP t line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_v:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP v line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_sdp_z:
choices:
- pass
- discard
- respond
description:
- Action for malformed SDP z line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_request_line:
choices:
- pass
- discard
- respond
description:
- Action for malformed request line.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_register_contact_trace:
choices:
- disable
- enable
description:
- Enable/disable trace original IP/port within the contact header of REGISTER requests.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_ssl_client_certificate:
description:
- Name of Certificate to offer to server if requested.
required: false
sip_ssl_server_certificate:
description:
- Name of Certificate return to the client in every SSL connection.
required: false
sip_malformed_header_call_id:
choices:
- pass
- discard
- respond
description:
- Action for malformed Call-ID header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_contact:
choices:
- pass
- discard
- respond
description:
- Action for malformed Contact header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_expires:
choices:
- pass
- discard
- respond
description:
- Action for malformed Expires header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_ssl_client_renegotiation:
choices:
- allow
- deny
- secure
description:
- Allow/block client renegotiation by server.
- choice | allow | Allow a SSL client to renegotiate.
- choice | deny | Abort any SSL connection that attempts to renegotiate.
- choice | secure | Reject any SSL connection that does not offer a RFC 5746 Secure
Renegotiation Indication.
required: false
sip_open_record_route_pinhole:
choices:
- disable
- enable
description:
- Enable/disable open pinhole for Record-Route port.
- choice | disable | Disable status.
- choice | enable | Enable status.
required: false
sip_malformed_header_content_type:
choices:
- pass
- discard
- respond
description:
- Action for malformed Content-Type header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_max_forwards:
choices:
- pass
- discard
- respond
description:
- Action for malformed Max-Forwards header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_record_route:
choices:
- pass
- discard
- respond
description:
- Action for malformed Record-Route header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_provisional_invite_expiry_time:
description:
- Expiry time for provisional INVITE (10 - 3600 sec).
required: false
sip_malformed_header_content_length:
choices:
- pass
- discard
- respond
description:
- Action for malformed Content-Length header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
sip_malformed_header_p_asserted_identity:
choices:
- pass
- discard
- respond
description:
- Action for malformed P-Asserted-Identity header.
- choice | pass | Bypass malformed messages.
- choice | discard | Discard malformed messages.
- choice | respond | Respond with error code.
required: false
api_result: description: full API response, includes status code and message returned: always type: str