Fortinet black logo

Handbook

Enabling multicast forwarding

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:21554
Download PDF

Enabling multicast forwarding

Multicast forwarding is enabled by default. In NAT mode you must use the multicast-forward keyword of the system settings CLI command to enable or disable multicast forwarding. When multicast-forward is enabled, a FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add security policies to actually allow multicast packets through the FortiGate. In our example, the security policy allows multicast packets received by the internal interface to exit to the external interface.

Enabling multicast forwarding is only required if a FortiGate is operating in NAT mode. If a FortiGate unit is operating in transparent mode, adding a multicast policy enables multicast forwarding.

To enable multicast forwarding - CLI:

config system settings

set multicast-forward enable

end

If multicast forwarding is disabled and the FortiGate drops packets that have multicast source or destination addresses.

You can also use the multicast-ttl-notchange keyword of the system settings command so that the FortiGate doesn't increase the TTL value for forwarded multicast packets. You should use this option only if packets are expiring before reaching the multicast router.

config system settings

set multicast-ttl-notchange enable

end

In transparent mode, a FortiGate doesn't forward frames with multicast destination addresses. Multicast traffic, such as the one used by routing protocols or streaming media, may need to traverse the FortiGate and shouldn't interfere with the communication. To avoid any issues during transmission, you can set up multicast security policies. These types of security policies can only be enabled using the CLI.

When you use multicast security policies, you must disable the multicast-skip-policy CLI parameter. To disable enter the following commands:

config system settings

set multicast-skip-policy disable

end

In this simple example, a check isn't performed on the source or destination interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.

To enable the multicast policy - CLI:

config firewall multicast-policy

edit 1

set action accept

end

In this example, the multicast policy only applies to the source port of WAN1 and the destination port of Internal.

To enable the restrictive multicast policy - CLI:

config firewall multicast-policy

edit 1

set srcintf wan1

set dstinf internal

set action accept

end

In this example, packets are allowed to flow from WAN1 to Internal, and sourced by the address 172.20.120.129, which is represented by the address object "example_addr-1".

To enable the restrictive multicast policy - CLI:

config firewall multicast-policy

edit 1

set srcintf wan1

set srcaddr example_addr-1

set dstinf internal

set action accept

end

This example shows how to configure the multicast security policy required for the configuration shown. This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 239.168.4.0. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface, their source address is translated to 192.168.18.10

config firewall multicast-policy

edit 5

set srcaddr 192.168.5.18 255.255.255.255

set srcintf internal

set destaddr 239.168.4.0 255.255.255.0

set dstintf external

set nat 192.168.18.10

end

This example shows how to configure a multicast security policy so that the FortiGate forwards multicast packets from a multicast server with an IP 10.10.10.10 is broadcasting to address 225.1.1.1. This server is on the network connected to the FortiGate DMZ interface.

config firewall multicast-policy

edit 1

set srcintf DMZ

set srcaddr 10.10.10.10 255.255.255.255

set dstintf Internal

set dstaddr 225.1.1.1 255.255.255.255

set action accept

edit 2

set action deny

end

Displaying IPv6 multicast router information

You can use the following CLI command to display IPv6 multicast router information (equivalent to the IPv4 version of the command):

get router info6 multicast

Enabling multicast forwarding

Multicast forwarding is enabled by default. In NAT mode you must use the multicast-forward keyword of the system settings CLI command to enable or disable multicast forwarding. When multicast-forward is enabled, a FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add security policies to actually allow multicast packets through the FortiGate. In our example, the security policy allows multicast packets received by the internal interface to exit to the external interface.

Enabling multicast forwarding is only required if a FortiGate is operating in NAT mode. If a FortiGate unit is operating in transparent mode, adding a multicast policy enables multicast forwarding.

To enable multicast forwarding - CLI:

config system settings

set multicast-forward enable

end

If multicast forwarding is disabled and the FortiGate drops packets that have multicast source or destination addresses.

You can also use the multicast-ttl-notchange keyword of the system settings command so that the FortiGate doesn't increase the TTL value for forwarded multicast packets. You should use this option only if packets are expiring before reaching the multicast router.

config system settings

set multicast-ttl-notchange enable

end

In transparent mode, a FortiGate doesn't forward frames with multicast destination addresses. Multicast traffic, such as the one used by routing protocols or streaming media, may need to traverse the FortiGate and shouldn't interfere with the communication. To avoid any issues during transmission, you can set up multicast security policies. These types of security policies can only be enabled using the CLI.

When you use multicast security policies, you must disable the multicast-skip-policy CLI parameter. To disable enter the following commands:

config system settings

set multicast-skip-policy disable

end

In this simple example, a check isn't performed on the source or destination interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.

To enable the multicast policy - CLI:

config firewall multicast-policy

edit 1

set action accept

end

In this example, the multicast policy only applies to the source port of WAN1 and the destination port of Internal.

To enable the restrictive multicast policy - CLI:

config firewall multicast-policy

edit 1

set srcintf wan1

set dstinf internal

set action accept

end

In this example, packets are allowed to flow from WAN1 to Internal, and sourced by the address 172.20.120.129, which is represented by the address object "example_addr-1".

To enable the restrictive multicast policy - CLI:

config firewall multicast-policy

edit 1

set srcintf wan1

set srcaddr example_addr-1

set dstinf internal

set action accept

end

This example shows how to configure the multicast security policy required for the configuration shown. This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 239.168.4.0. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface, their source address is translated to 192.168.18.10

config firewall multicast-policy

edit 5

set srcaddr 192.168.5.18 255.255.255.255

set srcintf internal

set destaddr 239.168.4.0 255.255.255.0

set dstintf external

set nat 192.168.18.10

end

This example shows how to configure a multicast security policy so that the FortiGate forwards multicast packets from a multicast server with an IP 10.10.10.10 is broadcasting to address 225.1.1.1. This server is on the network connected to the FortiGate DMZ interface.

config firewall multicast-policy

edit 1

set srcintf DMZ

set srcaddr 10.10.10.10 255.255.255.255

set dstintf Internal

set dstaddr 225.1.1.1 255.255.255.255

set action accept

edit 2

set action deny

end

Displaying IPv6 multicast router information

You can use the following CLI command to display IPv6 multicast router information (equivalent to the IPv4 version of the command):

get router info6 multicast