Skip to main content
deadwavevaef
deadwavevaef
Visitor III
May 4, 2026
Question

Inquiry Regarding the "h323-direct-model" Setting on FortiGate

  • May 4, 2026
  • 1 reply
  • 38 views

We are planning to replace our current FortiGate device, and we have found that the following configuration is enabled on the existing unit:

config system settings
      set h323-direct-model enable
end

We understand that this option is related to VoIP functionality. However, we would like to know how FortiGate's behavior changes when this setting is enabled.

Could you please advise on how we can verify or confirm the behavioral differences caused by enabling this configuration?

1 reply

sjoshi
Staff
sjoshi
Staff
May 5, 2026

Add option to configure H323/RAS direct model traffic.

config system settings
    set h323-direct-model {enable | disable}
end
The setting is disabled by default (the wide open pinhole will be closed); however when upgrading from an older version, the setting will be enabled to preserve the previous behavior.

Refer:
https://docs.fortinet.com/document/fortigate/7.0.4/fortios-release-notes/517622/changes-in-cli#:~:text=Add%20setting%20for%20IPv4%20reachable,when%20NAT46/NAT64%20is%20enabled:

A “wide open pinhole” refers to a dynamically created session on the FortiGate that allows a broader range of ports and traffic for H.323 communication after call setup. When h323-direct-model is enabled, these expectation sessions are less restrictive, which improves compatibility with VoIP environments, especially where NAT or complex signaling is involved.

Default behavior is disabled

Thanks, Salon
    Terms & ConditionsAccessibility statement