Fortinet Document Library

Version:


Table of Contents

CLI Reference

6.0.6
Download PDF
Copy Link

firewall {multicast-policy | multicast-policy6}

Use this command to configure a source NAT IP. This command can also be used in Transparent mode to enable multicast forwarding by adding a multicast policy.

The matched forwarded (outgoing) IP multicast source IP address is translated to the configured IP address. For additional options related to multicast, see multicast-forward {enable | disable} in system settings and tp-mc-skip-policy {enable | disable} in system global.

config firewall multicast-policy
    edit {id}
    # Configure multicast NAT policies.
        set id {integer}   Policy ID. range[0-4294967294]
        set status {enable | disable}   Enable/disable this policy.
        set logtraffic {enable | disable}   Enable/disable logging traffic accepted by this policy.
        set srcintf {string}   Source interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        set dstintf {string}   Destination interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        config srcaddr
            edit {name}
            # Source address objects.
                set name {string}   Source address objects. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address objects.
                set name {string}   Destination address objects. size[64] - datasource(s): firewall.multicast-address.name
            next
        set snat {enable | disable}   Enable/disable substitution of the outgoing interface IP address for the original source IP address (called source NAT or SNAT).
        set snat-ip {ipv4 address}   IPv4 address to be used as the source address for NATed traffic.
        set dnat {ipv4 address any}   IPv4 DNAT address used for multicast destination addresses.
        set action {accept | deny}   Accept or deny traffic matching the policy.
                accept  Accept traffic matching the policy.
                deny    Deny or block traffic matching the policy.
        set protocol {integer}   Integer value for the protocol type as defined by IANA (0 - 255, default = 0). range[0-255]
        set start-port {integer}   Integer value for starting TCP/UDP/SCTP destination port in range (1 - 65535, default = 1). range[0-65535]
        set end-port {integer}    Integer value for ending TCP/UDP/SCTP destination port in range (1 - 65535, default = 1). range[0-65535]
        set auto-asic-offload {enable | disable}   Enable/disable offloading policy traffic for hardware acceleration.
    next
end
config firewall multicast-policy6
    edit {id}
    # Configure IPv6 multicast NAT policies.
        set id {integer}   Policy ID. range[0-4294967294]
        set status {enable | disable}   Enable/disable this policy.
        set logtraffic {enable | disable}   Enable/disable logging traffic accepted by this policy.
        set srcintf {string}   IPv6 source interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        set dstintf {string}   IPv6 destination interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        config srcaddr
            edit {name}
            # IPv6 source address name.
                set name {string}   Address name. size[79] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # IPv6 destination address name.
                set name {string}   Address name. size[79] - datasource(s): firewall.multicast-address6.name
            next
        set action {accept | deny}   Accept or deny traffic matching the policy.
                accept  Accept.
                deny    Deny.
        set protocol {integer}   Integer value for the protocol type as defined by IANA (0 - 255, default = 0). range[0-255]
        set start-port {integer}   Integer value for starting TCP/UDP/SCTP destination port in range (1 - 65535, default = 1). range[0-65535]
        set end-port {integer}   Integer value for ending TCP/UDP/SCTP destination port in range (1 - 65535, default = 65535). range[0-65535]
        set auto-asic-offload {enable | disable}   Enable/disable offloading policy traffic for hardware acceleration.
    next
end

Additional information

The following section is for those options that require additional explanation.

firewall {multicast-policy | multicast-policy6}

Use this command to configure a source NAT IP. This command can also be used in Transparent mode to enable multicast forwarding by adding a multicast policy.

The matched forwarded (outgoing) IP multicast source IP address is translated to the configured IP address. For additional options related to multicast, see multicast-forward {enable | disable} in system settings and tp-mc-skip-policy {enable | disable} in system global.

config firewall multicast-policy
    edit {id}
    # Configure multicast NAT policies.
        set id {integer}   Policy ID. range[0-4294967294]
        set status {enable | disable}   Enable/disable this policy.
        set logtraffic {enable | disable}   Enable/disable logging traffic accepted by this policy.
        set srcintf {string}   Source interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        set dstintf {string}   Destination interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        config srcaddr
            edit {name}
            # Source address objects.
                set name {string}   Source address objects. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address objects.
                set name {string}   Destination address objects. size[64] - datasource(s): firewall.multicast-address.name
            next
        set snat {enable | disable}   Enable/disable substitution of the outgoing interface IP address for the original source IP address (called source NAT or SNAT).
        set snat-ip {ipv4 address}   IPv4 address to be used as the source address for NATed traffic.
        set dnat {ipv4 address any}   IPv4 DNAT address used for multicast destination addresses.
        set action {accept | deny}   Accept or deny traffic matching the policy.
                accept  Accept traffic matching the policy.
                deny    Deny or block traffic matching the policy.
        set protocol {integer}   Integer value for the protocol type as defined by IANA (0 - 255, default = 0). range[0-255]
        set start-port {integer}   Integer value for starting TCP/UDP/SCTP destination port in range (1 - 65535, default = 1). range[0-65535]
        set end-port {integer}    Integer value for ending TCP/UDP/SCTP destination port in range (1 - 65535, default = 1). range[0-65535]
        set auto-asic-offload {enable | disable}   Enable/disable offloading policy traffic for hardware acceleration.
    next
end
config firewall multicast-policy6
    edit {id}
    # Configure IPv6 multicast NAT policies.
        set id {integer}   Policy ID. range[0-4294967294]
        set status {enable | disable}   Enable/disable this policy.
        set logtraffic {enable | disable}   Enable/disable logging traffic accepted by this policy.
        set srcintf {string}   IPv6 source interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        set dstintf {string}   IPv6 destination interface name. size[35] - datasource(s): system.interface.name,system.zone.name
        config srcaddr
            edit {name}
            # IPv6 source address name.
                set name {string}   Address name. size[79] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # IPv6 destination address name.
                set name {string}   Address name. size[79] - datasource(s): firewall.multicast-address6.name
            next
        set action {accept | deny}   Accept or deny traffic matching the policy.
                accept  Accept.
                deny    Deny.
        set protocol {integer}   Integer value for the protocol type as defined by IANA (0 - 255, default = 0). range[0-255]
        set start-port {integer}   Integer value for starting TCP/UDP/SCTP destination port in range (1 - 65535, default = 1). range[0-65535]
        set end-port {integer}   Integer value for ending TCP/UDP/SCTP destination port in range (1 - 65535, default = 65535). range[0-65535]
        set auto-asic-offload {enable | disable}   Enable/disable offloading policy traffic for hardware acceleration.
    next
end

Additional information

The following section is for those options that require additional explanation.