Opening and closing SIP register, contact, via and recordroute pinholes

Leave a reply

Opening and closing SIP register, contact, via and recordroute pinholes

You can use the open-register-pinhole, open-contact-pinhole, open-via-port, and openrecord-route-pinhole VoIP profile CLI options to control whether the FortiGate opens various pinholes.

If open-register-pinhole is enabled (the default setting) the FortiGate opens pinholes for SIP Register request messages. You can disable open-register-pinhole so that the FortiGate does not open pinholes for SIP Register request messages.

If open-contact-pinhole is enabled (the default setting) the FortiGate opens pinholes for non-Register SIP request messages. You can disable open-contact-pinhole so that the FortiGate does not open pinholes for non-register requests. Non-register pinholes are usually opened for SIP INVITE requests.

If open-via-pinhole is disabled (the default setting) the FortiGate does not open pinholes for Via messages. You can enable open-via-pinhole so that the FortiGate opens pinholes for Via messages.

If open-record-route-pinhole is enabled (the default setting) the FortiGate opens pinholes for RecordRoute messages. You can disable open-record-route-pinhole so that the FortiGate does not open pinholes for Record-Route messages.

Usually you would want to open these pinholes. Keeping them closed may prevent SIP from functioning properly through the FortiGate. They can be disabled, however, for interconnect scenarios (where all SIP traffic is between proxies and traveling over a single session). In some cases these settings can also be disabled in access scenarios if it is known that all users will be registering regularly so that their contact information can be learned from the register request.

You might want to prevent pinholes from being opened to avoid creating a pinhole for every register or nonregister request. Each pinhole uses additional system memory, which can affect system performance if there are hundreds or thousands of users, and requires refreshing which can take a relatively long amount of time if there are thousands of active calls.

To configure a VoIP profile to prevent opening register and non-register pinholes:

config voip profile edit VoIP_Pro_1 config sip set open-register-pinhole disable set open-contact-pinhole disable

end

end

In some cases you may not want to open pinholes for the port numbers specified in SIP Contact headers. For example, in an interconnect scenario when a FortiGate is installed between two SIP servers and the only SIP traffic through the FortiGate is between these SIP servers pinholes may not need to be opened for the port numbers specified in the Contact header lines.

If you disable open-register-pinhole then pinholes are not opened for ports in Contact header lines in SIP Register messages. If you disable open-contact-pinhole then pinholes are not opened for ports in Contact header lines in all SIP messages except SIP Register messages.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.