Multicast processing and basic Multicast policy
You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. Similar to firewall policies, in a multicast policy, the administrator specifies the source interface, destination interfaces, the allowed source address ranges, and destination addresses of the multicast traffic. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.
Multicast forwarding in NAT mode
When multicast-forward
is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header is reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.
If multicast-forward
is disabled, then FortiGate unit drops packets that have multicast source or destination addresses.
In NAT mode, there is a per-VDOM configuration to disable forwarding any multicast traffic. This command is only available in NAT mode.
config system settings set multicast-forward <disable|enable(default)> end
You can also use the multicast-ttl-notchange
option so that FortiGate doesn't increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.
config system settings set multicast-ttl-notchange enable end
Multicast processing in transparent mode
When multicast-skip-policy
is enabled, no check is performed based on multicast policy. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain. Multicast packets are forwarded even when there is no multicast policy or the multicast policy is set to deny. To forward multicast traffic based on multicast policy, multicast-skip-policy
must be disabled.
In transparent mode, there is a per-VDOM configuration to skip policy check and forward all multicast traffic. This command is only available in transparent mode, and is disabled by default.
config system settings set multicast-skip-policy {disable | enable} end
Sample configuration
To allow RIP2 packets from port1 to port2 using the GUI:
- Go to Policy & Object > Multicast Policy.
- Click Create New.
- For Incoming Interface, select port1.
- For Outgoing Interface, select port2.
- For Source Address, select 10.10.0.10/32.
- For Destination Address, select RIPv2.
- Click OK.
To allow RIP2 packets from port1 to port2 using the CLI:
config firewall address edit "10.10.0.10/32" set subnet 10.10.0.10 255.255.255.255 next end config firewall multicast-address edit "RIPv2" set start-ip 224.0.0.9 set end-ip 224.0.0.9 next end config firewall multicast-policy edit 2 set srcintf "port1" set dstintf "port2" set srcaddr "10.10.0.10/32" set dstaddr "RIPv2" next end