Multicast processing and basic Multicast policy

Multicast processing and basic Multicast policy

You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. Similar to firewall policies, in a multicast policy, the administrator specifies the source interface, destination interfaces, the allowed source address ranges, and destination addresses of the multicast traffic. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.

Multicast forwarding in NAT mode

When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header is reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.

If multicast-forward is disabled, then FortiGate unit drops packets that have multicast source or destination addresses.

In NAT mode, there is a per-VDOM configuration to disable forwarding any multicast traffic. This command is only available in NAT mode.

config system settings set multicast-forward <disable|enable(default)>

end

You can also use the multicast-ttl-notchange option so that FortiGate doesn’t increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.

config system settings

set multicast-ttl-notchange enable end

Multicast processing in TP mode

When multicast-skip-policy is enabled, no check is performed based on multicast policy. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain. Multicast packets are forwarded even when there is no multicast policy or the multicast policy is set to deny. To forward multicast traffic based on multicast policy, multicast-skip-policy must be disabled.

In transparent mode, there is a per-VDOM configuration to skip policy check and forward all multicast traffics. This command is only available in transparent mode.

config system settings set multicast-skip-policy <disable(default)|enable>

end

Sample configuration

To allow RIP2 packets from port1 to port2 using the GUI:

  1. Go to Policy & Object > Multicast Policy.
  2. Click Create New.
  3. For Incoming Interface, select port1.
  4. For Outgoing Interface, select port2.
  5. For Source Address, select 10.0.10/32.
  6. For Destination Address, select RIPv2.
  7. Click OK.

To allow RIP2 packets from port1 to port2 using the CLI:

config firewall address edit “10.10.0.10/32” set subnet 10.10.0.10 255.255.255.255

next

end

config firewall multicast-address edit “RIPv2” set start-ip 224.0.0.9 set end-ip 224.0.0.9

next

end

config firewall multicast-policy edit 2 set srcintf “port1” set dstintf “port2” set srcaddr “10.10.0.10/32” set dstaddr “RIPv2”

next end

IPv4/IPv6 access control lists

Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blacklist. ACL drop IPv4 and IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this can really improve performance.

ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.

The following platforms support ACL:

  • FGT_100D, FGT_100E, FGT_100EF, FGT_101E. l FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE. l FGT_301E, FGT_500E, FGT_501E. l FGT_1200D, FGT_1500D, FGT_1500DT.
  • FGT_2000E, FGT_2500E. l FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D. l FGT_3800D, FGT_3810D, FGT_3815D. l FGT_3960E, FGT_3980E.

Limitation

The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore no CPU resources are used in the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do support ACL.

Sample configuration

To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:

config firewall acl edit 1 set interface “port2” set srcaddr “all” set dstaddr “Company_Servers” set service “TELNET”

next

end

config firewall acl6 edit 1 set interface “port2” set srcaddr “all”

set dstaddr “Company_Servers_v6” set service “TELNET”

next end

Sample troubleshooting

To check the number of packets drop by an ACL:

# diag firewall acl counter ACL id 1 dropped 0 packets

To clear the packet drop counter:

# diag firewall acl clearcounter Use the same commands for IPv6 ACL.

# dia firewall acl

counter Show number of packets dropped by ACL.
counter6 Show number of packets dropped by ACL6.
clearcounter Clear ACL packet counter.
clearcounter6 Clear ACL6 packet counter.
This entry was posted in Administration Guides, FortiGate, FortiOS 6.2 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.