Multicast forwarding and FortiGate units

Enabling multicast forwarding

Multicast forwarding is enabled by default. In NAT mode you must use the multicast-forward keyword of the system settings CLI command to enable or disable multicast forwarding. When multicast- forward is enabled, the FortiGate unit forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add security policies to actually allow multicast packets through the FortiGate. In our example, the security policy allows multicast packets received by the internal interface to exit to the external interface.

Enabling multicast forwarding is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in transparent mode, adding a multicast policy enables multicast forwarding.

 

Enter the following CLI command to enable multicast forwarding:

 

config system settings

set multicast-forward enable end

If multicast forwarding is disabled and the FortiGate unit drops packets that have multicast source or destination addresses.

You can also use the multicast-ttl-notchange keyword of the system settings command so that the FortiGate unit does not increase the TTL value for forwarded multicast packets. You should use this option only if packets are expiring before reaching the multicast router.

 

config system settings

set multicast-ttl-notchange enable end

In transparent mode, the FortiGate unit does not forward frames with multicast destination addresses. Multicast traffic such as the one used by routing protocols or streaming media may need to traverse the FortiGate unit, and should not be interfere with the communication. To avoid any issues during transmission, you can set up

multicast security policies. These types of security policies can only be enabled using the CLI.

 

The CLI parameter multicast-skip-policy must be disabled when using multicast secur- ity policies. To disable enter the command

 

config system settings

set multicast-skip-policy disable

end

 

In this simple example, no check is performed on the source or destination interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.

 

To enable the multicast policy

config firewall multicast-policy edit 1

set action accept end

In this example, the multicast policy only applies to the source port of WAN1 and the destination port of Internal.

 

 

To enable the restrictive multicast policy

config firewall multicast-policy edit 1

set srcintf wan1

set dstinf internal set action accept

end

In this example, packets are allowed to flow from WAN1 to Internal, and sourced by the address 172.20.120.129, which is represented by the address object “example_addr-1”.

 

To enable the restrictive multicast policy

config firewall multicast-policy edit 1

set srcintf wan1

set srcaddr example_addr-1 set dstinf internal

set action accept end

This example shows how to configure the multicast security policy required for the configuration shown. This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range 239.168.4.0. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface their source address is translated to 192.168.18.10

 

config firewall multicast-policy edit 5

set srcaddr 192.168.5.18 255.255.255.255 set srcintf internal

set destaddr 239.168.4.0 255.255.255.0 set dstintf external

set nat 192.168.18.10 end

This example shows how to configure a multicast security policy so that the FortiGate unit forwards multicast packets from a multicast Server with an IP 10.10.10.10 is broadcasting to address 225.1.1.1. This Server is on the network connected to the FortiGate DMZ interface.

 

config firewall multicast-policy edit 1

set srcintf DMZ

set srcaddr 10.10.10.10 255.255.255.255 set dstintf Internal

set dstaddr 225.1.1.1 255.255.255.255 set action accept

edit 2

set action deny end

 

 

Multicast routing examples

This section contains the following multicast routing configuration examples and information:

 

  • Example FortiGate PIM-SM configuration using a static RP
  • FortiGate PIM-SM debugging examples
  • Example multicast destination NAT (DNAT) configuration
  • Example PIM configuration that uses BSR to find the RP

 

Example FortiGate PIM-SM configuration using a static RP

The example Protocol Independent Multicast Sparse Mode (PIM-SM) configuration shown below has been tested for multicast interoperability using PIM-SM between Cisco 3750 switches running 12.2 and a FortiGate-800 running FortiOS v3.0 MR5 patch 1. In this configuration, the receiver receives the multicast stream when it joins the group 233.254.200.1.

 

Example FortiGate PIM-SM topology

The configuration uses a statically configured rendezvous point (RP) which resides on the Cisco_3750_1. Using a bootstrap router (BSR) was not tested in this example. See “Example PIM configuration that uses BSR to find the RP” for an example that uses a BSR.

 

Configuration steps

 

The following procedures show how to configure the multicast configuration settings for the devices in the example configuration.

  • Cisco_3750_1 router configuration
  • Cisco_3750_2 router configuration
  • To configure the FortiGate-800 unit
  • Cisco_3750_3 router configuration

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Fortinet GURU, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.