Fortinet black logo

Handbook

Opening and closing SIP register, contact, via and record-route pinholes

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:43157
Download PDF

Opening and closing SIP register, contact, via and record-route pinholes

You can use the open-register-pinhole, open-contact-pinhole, open-via-port, and open-record-route-pinhole VoIP profile CLI options to control whether the FortiGate opens various pinholes.

If open‑register‑pinhole is enabled (the default setting) the FortiGate opens pinholes for SIP Register request messages. You can disable open-register-pinhole so that the FortiGate does not open pinholes for SIP Register request messages.

If open-contact-pinhole is enabled (the default setting) the FortiGate opens pinholes for non-Register SIP request messages. You can disable open-contact-pinhole so that the FortiGate does not open pinholes for non-register requests. Non-register pinholes are usually opened for SIP INVITE requests.

If open-via-pinhole is disabled (the default setting) the FortiGate does not open pinholes for Via messages. You can enable open-via-pinhole so that the FortiGate opens pinholes for Via messages.

If open-record-route-pinhole is enabled (the default setting) the FortiGate opens pinholes for Record-Route messages. You can disable open-record-route-pinhole so that the FortiGate does not open pinholes for Record-Route messages.

Usually you would want to open these pinholes. Keeping them closed may prevent SIP from functioning properly through the FortiGate. They can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session). In some cases these settings can also be disabled in access scenarios if it is known that all users will be registering regularly so that their contact information can be learned from the register request.

You might want to prevent pinholes from being opened to avoid creating a pinhole for every register or non-register request. Each pinhole uses additional system memory, which can affect system performance if there are hundreds or thousands of users, and requires refreshing which can take a relatively long amount of time if there are thousands of active calls.

To configure a VoIP profile to prevent opening register and non-register pinholes:

config voip profile

edit VoIP_Pro_1

config sip

set open-register-pinhole disable

set open-contact-pinhole disable

end

end

In some cases you may not want to open pinholes for the port numbers specified in SIP Contact headers. For example, in an interconnect scenario when a FortiGate is installed between two SIP servers and the only SIP traffic through the FortiGate is between these SIP servers pinholes may not need to be opened for the port numbers specified in the Contact header lines.

If you disable open-register-pinhole then pinholes are not opened for ports in Contact header lines in SIP Register messages. If you disable open-contact-pinhole then pinholes are not opened for ports in Contact header lines in all SIP messages except SIP Register messages.

Opening and closing SIP register, contact, via and record-route pinholes

You can use the open-register-pinhole, open-contact-pinhole, open-via-port, and open-record-route-pinhole VoIP profile CLI options to control whether the FortiGate opens various pinholes.

If open‑register‑pinhole is enabled (the default setting) the FortiGate opens pinholes for SIP Register request messages. You can disable open-register-pinhole so that the FortiGate does not open pinholes for SIP Register request messages.

If open-contact-pinhole is enabled (the default setting) the FortiGate opens pinholes for non-Register SIP request messages. You can disable open-contact-pinhole so that the FortiGate does not open pinholes for non-register requests. Non-register pinholes are usually opened for SIP INVITE requests.

If open-via-pinhole is disabled (the default setting) the FortiGate does not open pinholes for Via messages. You can enable open-via-pinhole so that the FortiGate opens pinholes for Via messages.

If open-record-route-pinhole is enabled (the default setting) the FortiGate opens pinholes for Record-Route messages. You can disable open-record-route-pinhole so that the FortiGate does not open pinholes for Record-Route messages.

Usually you would want to open these pinholes. Keeping them closed may prevent SIP from functioning properly through the FortiGate. They can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session). In some cases these settings can also be disabled in access scenarios if it is known that all users will be registering regularly so that their contact information can be learned from the register request.

You might want to prevent pinholes from being opened to avoid creating a pinhole for every register or non-register request. Each pinhole uses additional system memory, which can affect system performance if there are hundreds or thousands of users, and requires refreshing which can take a relatively long amount of time if there are thousands of active calls.

To configure a VoIP profile to prevent opening register and non-register pinholes:

config voip profile

edit VoIP_Pro_1

config sip

set open-register-pinhole disable

set open-contact-pinhole disable

end

end

In some cases you may not want to open pinholes for the port numbers specified in SIP Contact headers. For example, in an interconnect scenario when a FortiGate is installed between two SIP servers and the only SIP traffic through the FortiGate is between these SIP servers pinholes may not need to be opened for the port numbers specified in the Contact header lines.

If you disable open-register-pinhole then pinholes are not opened for ports in Contact header lines in SIP Register messages. If you disable open-contact-pinhole then pinholes are not opened for ports in Contact header lines in all SIP messages except SIP Register messages.