Fortinet white logo
Fortinet white logo

Cookbook

Multicast processing and basic Multicast policy

Multicast processing and basic Multicast policy

You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. Similar to firewall policies, in a multicast policy, the administrator specifies the source interface, destination interfaces, the allowed source address ranges, and destination addresses of the multicast traffic. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header is reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.

If multicast-forward is disabled, then FortiGate unit drops packets that have multicast source or destination addresses.

In NAT mode, there is a per-VDOM configuration to disable forwarding any multicast traffic. This command is only available in NAT mode.

config system settings
    set multicast-forward <disable|enable(default)>
end

You can also use the multicast-ttl-notchange option so that FortiGate doesn't increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

config system settings
    set multicast-ttl-notchange enable
end

Multicast processing in transparent mode

When multicast-skip-policy is enabled, no check is performed based on multicast policy. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain. Multicast packets are forwarded even when there is no multicast policy or the multicast policy is set to deny. To forward multicast traffic based on multicast policy, multicast-skip-policy must be disabled.

In transparent mode, there is a per-VDOM configuration to skip policy check and forward all multicast traffic. This command is only available in transparent mode, and is disabled by default.

config system settings
    set multicast-skip-policy {disable | enable}
end

Sample configuration

To allow RIP2 packets from port1 to port2 using the GUI:
  1. Go to Policy & Object > Multicast Policy.
  2. Click Create New.
  3. For Incoming Interface, select port1.
  4. For Outgoing Interface, select port2.
  5. For Source Address, select 10.10.0.10/32.
  6. For Destination Address, select RIPv2.
  7. Click OK.
To allow RIP2 packets from port1 to port2 using the CLI:
config firewall address
    edit "10.10.0.10/32"            
        set subnet 10.10.0.10 255.255.255.255
    next
end
config firewall multicast-address
    edit "RIPv2"
        set start-ip 224.0.0.9
        set end-ip 224.0.0.9
    next
end
config firewall multicast-policy
    edit 2
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "10.10.0.10/32"
        set dstaddr "RIPv2"
    next
end

Multicast processing and basic Multicast policy

Multicast processing and basic Multicast policy

You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. Similar to firewall policies, in a multicast policy, the administrator specifies the source interface, destination interfaces, the allowed source address ranges, and destination addresses of the multicast traffic. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header is reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.

If multicast-forward is disabled, then FortiGate unit drops packets that have multicast source or destination addresses.

In NAT mode, there is a per-VDOM configuration to disable forwarding any multicast traffic. This command is only available in NAT mode.

config system settings
    set multicast-forward <disable|enable(default)>
end

You can also use the multicast-ttl-notchange option so that FortiGate doesn't increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

config system settings
    set multicast-ttl-notchange enable
end

Multicast processing in transparent mode

When multicast-skip-policy is enabled, no check is performed based on multicast policy. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain. Multicast packets are forwarded even when there is no multicast policy or the multicast policy is set to deny. To forward multicast traffic based on multicast policy, multicast-skip-policy must be disabled.

In transparent mode, there is a per-VDOM configuration to skip policy check and forward all multicast traffic. This command is only available in transparent mode, and is disabled by default.

config system settings
    set multicast-skip-policy {disable | enable}
end

Sample configuration

To allow RIP2 packets from port1 to port2 using the GUI:
  1. Go to Policy & Object > Multicast Policy.
  2. Click Create New.
  3. For Incoming Interface, select port1.
  4. For Outgoing Interface, select port2.
  5. For Source Address, select 10.10.0.10/32.
  6. For Destination Address, select RIPv2.
  7. Click OK.
To allow RIP2 packets from port1 to port2 using the CLI:
config firewall address
    edit "10.10.0.10/32"            
        set subnet 10.10.0.10 255.255.255.255
    next
end
config firewall multicast-address
    edit "RIPv2"
        set start-ip 224.0.0.9
        set end-ip 224.0.0.9
    next
end
config firewall multicast-policy
    edit 2
        set srcintf "port1"
        set dstintf "port2"
        set srcaddr "10.10.0.10/32"
        set dstaddr "RIPv2"
    next
end