Multicast processing
In transparent mode, a FortiGate does not forward frames with multicast destination MAC addresses by default. If multicast traffic is required, multicast policies are recommended to allow finer control of this traffic.
Forwarding all multicast traffic with policy
Multicast traffic may have to be forwarded through a transparent mode device using the multicast-skip-policy
system setting. This is the configuration for this solution:
config system settings
set multicast-skip-policy enable
end
In that case, no check is performed on sources/destinations/interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain.
Configuring firewall multicast-policy
The use of firewall multicast-policy
allows a finer control over the multicast packets. Hereafter are some commented examples. Note that the parameter multicast-skip-policy mentioned above must be left to disabled.
Those policies can only be configured from the CLI.
1. Simple policy
config firewall multicast-policy
edit 1
set action accept
next
end
In that case, no check is performed on sources/destinations/interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain.
2. To restrict incoming and outgoing interfaces:
config firewall multicast-policy
edit 1
set srcintf "port1"
set dstintf "port2"
set action accept
next
end
3. To be more restrictive (example to allow RIP2 packets from port1 to port2 and sourced by 10.10.0.10):
config firewall multicast-policy
edit 1
set srcintf "port1"
set srcaddr 10.10.0.10 255.255.255.255
set dstintf "port2"
set dstaddr 224.0.0.9 255.255.255.255
set action accept
next
end
4. This policy will allow all 224.0.0.0/255 range (OSPF, RIPv2, DVMPR…) from port1 to port2
config firewall multicast-policy
edit 1
set srcintf "port1"
set dstintf "port2"
set dstaddr 224.0.0.0 255.255.255
set action accept
next
end