Enhanced multicast session key for virtual wire pair New

FortiOS now adds ingress interface and VLAN ID as additional session keys for multicast traffic in virtual wire pair (VWP) configurations with wildcard-vlan enabled. This enhancement enables the FortiGate to create distinct multicast sessions for traffic returning through the same VWP on different VLANs, improving accuracy and ensuring optimal session handling.

Example

In this example, a VWP with wildcard-vlan enabled is created. A firewall policy and multicast policy are created. Multicast traffic goes through FortiGate multiple times in different directions, and distinct multicast sessions are created for traffic returning through the same VWP on different VLANs.

To configure:

1. Configure a virtual wire pair:

   The VWP contains members a and b, and wildcard-vlan is enabled.

   config system virtual-wire-pair
       edit "vwp"
           set member "a" "b"
           set wildcard-vlan enable
       next
   end

2. Configure a firewall policy:

   The firewall policy specifies VWP members a and b as source and destination interfaces.

   config firewall policy
       edit 1
           set uuid dfb4861a-f6ff-51f0-888b-682470ce488d
           set srcintf "a" "b"
           set dstintf "b" "a"
           set action accept
           set srcaddr "all"
           set dstaddr "all"
           set schedule "always"
           set service "ALL"
       next
   end

3. Configure a multicast policy:

   config firewall multicast-policy
       edit 1
           set uuid 9d6c29a4-f720-51f0-f60b-07a30ec0aaac
           set srcintf "any"
           set dstintf "any"
           set srcaddr "all"
           set dstaddr "all"
           set logtraffic all
       next
   end

4. After multicast traffic flows, view the different multicast sessions in traffic logs:

   1: date=2026-01-21 time=15:38:42 eventtime=1769038717948452847 tz="-0800" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="root" srcip=10.1.1.1 identifier=13 srcintf="b" srcintfrole="undefined" dstip=225.1.1.1 dstintf="a" dstintfrole="undefined" vlan=60 srccountry="Reserved" dstcountry="Reserved" sessionid=4089 proto=1 action="accept" policyid=1 policytype="multicast-policy" poluuid="9d6c29a4-f720-51f0-f60b-07a30ec0aaac" service="PING" trandisp="noop" appcat="unscanned" duration=181 sentbyte=168 rcvdbyte=0 sentpkt=2 rcvdpkt=0
   
   2: date=2026-01-21 time=15:38:42 eventtime=1769038717948449960 tz="-0800" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="root" srcip=10.1.1.1 identifier=13 srcintf="a" srcintfrole="undefined" dstip=225.1.1.1 dstintf="b" dstintfrole="undefined" vlan=50 srccountry="Reserved" dstcountry="Reserved" sessionid=4088 proto=1 action="accept" policyid=1 policytype="multicast-policy" poluuid="9d6c29a4-f720-51f0-f60b-07a30ec0aaac" service="PING" trandisp="noop" appcat="unscanned" duration=181 sentbyte=168 rcvdbyte=0 sentpkt=2 rcvdpkt=0
   
   3: date=2026-01-21 time=15:38:42 eventtime=1769038717940450742 tz="-0800" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="root" srcip=10.1.1.1 identifier=13 srcintf="a" srcintfrole="undefined" dstip=225.1.1.1 dstintf="b" dstintfrole="undefined" vlan=70 srccountry="Reserved" dstcountry="Reserved" sessionid=4090 proto=1 action="accept" policyid=1 policytype="multicast-policy" poluuid="9d6c29a4-f720-51f0-f60b-07a30ec0aaac" service="PING" trandisp="noop" appcat="unscanned" duration=181 sentbyte=168 rcvdbyte=0 sentpkt=2 rcvdpkt=0

5. View the different multicast sessions using the diagnose sys mcast-session list command:

   # diagnose sys mcast-session list
   
   session info: id=4264 vf=0 vrf=0 proto=1 10.1.1.1.16->225.1.1.1.8
   used=2 path=1 duration=167 expire=13 indev=11 vlanid=50 pkts=2 bytes=168
   state=0000001a: tp npu-cap offloaded
   session-npu-info: ipid/vlifid=9/9 vlanid/vtag_in=50/50 in_npuid=1 tae_index=0 qid=1 fwd_map=0x00000000
   path: log offloaded policy=1, outdev=12, tos=0xff
   act-npu-info:  ipid/vlifid=9/9 vlanid/vtag_in=50/50 in_npu_id=1, out_npuid=1 epid=10 fwd=0
   
   session info: id=4265 vf=0 vrf=0 proto=1 10.1.1.1.16->225.1.1.1.8
   used=2 path=1 duration=167 expire=13 indev=12 vlanid=60 pkts=2 bytes=168
   state=0000001a: tp npu-cap offloaded
   session-npu-info: ipid/vlifid=10/10 vlanid/vtag_in=60/60 in_npuid=1 tae_index=0 qid=2 fwd_map=0x00000000
   path: log offloaded policy=1, outdev=11, tos=0xff
   act-npu-info:  ipid/vlifid=10/10 vlanid/vtag_in=60/60 in_npu_id=1, out_npuid=1 epid=9 fwd=0
   
   session info: id=4266 vf=0 vrf=0 proto=1 10.1.1.1.16->225.1.1.1.8
   used=2 path=1 duration=167 expire=13 indev=11 vlanid=70 pkts=2 bytes=168
   state=0000001a: tp npu-cap offloaded
   session-npu-info: ipid/vlifid=9/9 vlanid/vtag_in=70/70 in_npuid=1 tae_index=0 qid=7 fwd_map=0x00000000
   path: log offloaded policy=1, outdev=12, tos=0xff
   act-npu-info:  ipid/vlifid=9/9 vlanid/vtag_in=70/70 in_npu_id=1, out_npuid=1 epid=10 fwd=0
   Total 3 sessions