Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.0.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    IGMP-snooping querier and per-VLAN IGMP-snooping proxy configuration 7.0.2

    IGMP-snooping querier and per-VLAN IGMP-snooping proxy configuration 7.0.2

    Before FortiOS 7.0.2, you could use the CLI to enable IGMP proxy on a system-wide basis. Starting in FortiOS 7.0.2, you can use the CLI to enable IGMP proxy per FortiSwitch unit.

    Starting in FortiOS 7.0.2, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the managed FortiSwitch unit will send IGMP version-2 queries when no external querier is present. When the IGMP querier version 3 is configured, the managed FortiSwitch unit will send IGMP version-3 queries when no external querier is present.

    Follow these steps to configure the IGMP-snooping proxy and IGMP-snooping querier:

    1. Enabling IGMP snooping and the IGMP-snooping proxy.
    2. Configuring the IGMP-snooping querier.

    Enabling IGMP snooping and the IGMP-snooping proxy

    By default, IGMP snooping is disabled. You need to enable IGMP snooping on the FortiGate device before you can enable the IGMP-snooping proxy.

    To enable IGMP snooping and the IGMP-snooping proxy:

    config system interface

    edit <VLAN_interface>

    set switch-controller-igmp-snooping enable

    set switch-controller-igmp-snooping-proxy enable

    next

    end

    For example, you can enable IGMP snooping and the IGMP-snooping proxy on VLAN 100:

    config system interface

    edit vlan100

    set switch-controller-igmp-snooping enable

    set switch-controller-igmp-snooping-proxy enable

    next

    end

    Configuring the IGMP-snooping querier

    If you have IGMP snooping and the IGMP-snooping proxy enabled on a VLAN, you can then configure the IGMP-snooping querier on the same VLAN on a managed switch. By default, the IGMP-snooping querier is disabled.

    You must enable the overriding of the global IGMP-snooping configuration with the set local-override enable command.

    By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds.

    By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

    The IGMP-snooping proxy uses the global IGMP-snooping configuration by default. You can enable or disable the IGMP-snooping on the VLAN.

    You can optionally specify the IPv4 address that IGMP reports are sent to. You can also set the IGMP-snooping querier version. The default IGMP querier version is 2.

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config igmp-snooping

    set local-override enable

    set aging-time <15-3600>

    set flood-unknown-multicast {enable | disable}

    config vlans

    edit <VLAN_interface>

    set proxy {disable | enable | global}

    set querier enable

    set querier-addr <IPv4_address>

    set version {2 | 3}

    next

    end

    end

    end

    For example:

    config switch-controller managed-switch

    edit S524DF4K15000024

    config igmp-snooping

    set local-override enable

    set aging-time 1000

    set flood-unknown-multicast enable

    config vlans

    edit vlan100

    set proxy disable

    set querier enable

    set querier-addr 1.2.3.4

    set version 3

    next

    end

    end

    end

    Previous
    Next

    IGMP-snooping querier and per-VLAN IGMP-snooping proxy configuration 7.0.2

    IGMP-snooping querier and per-VLAN IGMP-snooping proxy configuration 7.0.2

    Before FortiOS 7.0.2, you could use the CLI to enable IGMP proxy on a system-wide basis. Starting in FortiOS 7.0.2, you can use the CLI to enable IGMP proxy per FortiSwitch unit.

    Starting in FortiOS 7.0.2, you can configure the IGMP-snooping querier version 2 or 3. When the IGMP querier version 2 is configured, the managed FortiSwitch unit will send IGMP version-2 queries when no external querier is present. When the IGMP querier version 3 is configured, the managed FortiSwitch unit will send IGMP version-3 queries when no external querier is present.

    Follow these steps to configure the IGMP-snooping proxy and IGMP-snooping querier:

    1. Enabling IGMP snooping and the IGMP-snooping proxy.
    2. Configuring the IGMP-snooping querier.

    Enabling IGMP snooping and the IGMP-snooping proxy

    By default, IGMP snooping is disabled. You need to enable IGMP snooping on the FortiGate device before you can enable the IGMP-snooping proxy.

    To enable IGMP snooping and the IGMP-snooping proxy:

    config system interface

    edit <VLAN_interface>

    set switch-controller-igmp-snooping enable

    set switch-controller-igmp-snooping-proxy enable

    next

    end

    For example, you can enable IGMP snooping and the IGMP-snooping proxy on VLAN 100:

    config system interface

    edit vlan100

    set switch-controller-igmp-snooping enable

    set switch-controller-igmp-snooping-proxy enable

    next

    end

    Configuring the IGMP-snooping querier

    If you have IGMP snooping and the IGMP-snooping proxy enabled on a VLAN, you can then configure the IGMP-snooping querier on the same VLAN on a managed switch. By default, the IGMP-snooping querier is disabled.

    You must enable the overriding of the global IGMP-snooping configuration with the set local-override enable command.

    By default, the maximum time (aging-time) that multicast snooping entries without any packets are kept is for 300 seconds. This value can be in the range of 15-3,600 seconds.

    By default, flood-unknown-multicast is disabled, and unregistered multicast packets are forwarded only to mRouter ports. If you enable flood-unknown-multicast, unregistered multicast packets are forwarded to all ports in the VLAN.

    The IGMP-snooping proxy uses the global IGMP-snooping configuration by default. You can enable or disable the IGMP-snooping on the VLAN.

    You can optionally specify the IPv4 address that IGMP reports are sent to. You can also set the IGMP-snooping querier version. The default IGMP querier version is 2.

    config switch-controller managed-switch

    edit <FortiSwitch_serial_number>

    config igmp-snooping

    set local-override enable

    set aging-time <15-3600>

    set flood-unknown-multicast {enable | disable}

    config vlans

    edit <VLAN_interface>

    set proxy {disable | enable | global}

    set querier enable

    set querier-addr <IPv4_address>

    set version {2 | 3}

    next

    end

    end

    end

    For example:

    config switch-controller managed-switch

    edit S524DF4K15000024

    config igmp-snooping

    set local-override enable

    set aging-time 1000

    set flood-unknown-multicast enable

    config vlans

    edit vlan100

    set proxy disable

    set querier enable

    set querier-addr 1.2.3.4

    set version 3

    next

    end

    end

    end

    Previous
    Next