Opening and closing SIP register, contact, via and record-route pinholes
You can use the
open-record-route-pinhole VoIP profile CLI options to control whether the FortiGate opens various pinholes.
open‑register‑pinhole is enabled (the default setting) the FortiGate opens pinholes for SIP Register request messages. You can disable
open-register-pinhole so that the FortiGate does not open pinholes for SIP Register request messages.
open-contact-pinhole is enabled (the default setting) the FortiGate opens pinholes for non-Register SIP request messages. You can disable
open-contact-pinhole so that the FortiGate does not open pinholes for non-register requests. Non-register pinholes are usually opened for SIP INVITE requests.
open-via-pinhole is disabled (the default setting) the FortiGate does not open pinholes for Via messages. You can enable
open-via-pinhole so that the FortiGate opens pinholes for Via messages.
open-record-route-pinhole is enabled (the default setting) the FortiGate opens pinholes for Record-Route messages. You can disable
open-record-route-pinhole so that the FortiGate does not open pinholes for Record-Route messages.
Usually you would want to open these pinholes. Keeping them closed may prevent SIP from functioning properly through the FortiGate. They can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session). In some cases these settings can also be disabled in access scenarios if it is known that all users will be registering regularly so that their contact information can be learned from the register request.
You might want to prevent pinholes from being opened to avoid creating a pinhole for every register or non-register request. Each pinhole uses additional system memory, which can affect system performance if there are hundreds or thousands of users, and requires refreshing which can take a relatively long amount of time if there are thousands of active calls.
To configure a VoIP profile to prevent opening register and non-register pinholes:
config voip profile
set open-register-pinhole disable
set open-contact-pinhole disable
In some cases you may not want to open pinholes for the port numbers specified in SIP Contact headers. For example, in an interconnect scenario when a FortiGate is installed between two SIP servers and the only SIP traffic through the FortiGate is between these SIP servers pinholes may not need to be opened for the port numbers specified in the Contact header lines.
If you disable
open-register-pinhole then pinholes are not opened for ports in Contact header lines in SIP Register messages. If you disable
open-contact-pinhole then pinholes are not opened for ports in Contact header lines in all SIP messages except SIP Register messages.