Fortinet black logo

Handbook

Adding multicast security policies

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:990403
Download PDF

You need to add security policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. You add multicast security policies from the CLI using the config firewall multicast-policy command. As with unicast security policies, you specify the source and destination interfaces and, optionally, the allowed address ranges for the source and destination addresses of the packets.

You can also use multicast security policies to configure source NAT and destination NAT for multicast packets.

Keep the following in mind when configuring multicast security policies:

  • The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.
  • Source and destination interfaces are optional. If left blank, the multicast will be forwarded to ALL interfaces.
  • Source and destination addresses are optional. If left unset, it means ALL addresses.
  • The nat keyword is optional. Use it when source address translation is needed.

You need to add security policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. You add multicast security policies from the CLI using the config firewall multicast-policy command. As with unicast security policies, you specify the source and destination interfaces and, optionally, the allowed address ranges for the source and destination addresses of the packets.

You can also use multicast security policies to configure source NAT and destination NAT for multicast packets.

Keep the following in mind when configuring multicast security policies:

  • The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.
  • Source and destination interfaces are optional. If left blank, the multicast will be forwarded to ALL interfaces.
  • Source and destination addresses are optional. If left unset, it means ALL addresses.
  • The nat keyword is optional. Use it when source address translation is needed.