Skip to main content
ACARIMO
Staff
ACARIMO
Staff
March 24, 2026

Technical Tip: Placing FortiGate between a TV service provider's router and a set-top box

  • March 24, 2026
  • 0 replies
  • 348 views
Description This article provides the necessary steps to place FortiGate  between a TV service Provider's Router and a set-top box, allowing access to live and recorded streams through FortiGate.
Scope FortiGate.
Solution
  1. Enable multicast policy visibility: navigate the FortiGate GUI to System -> Feature Visibility and enable the 'Multicast Policy' feature. 

  2. Configure the following multicast parameters by running the CLI commands below:

  

config system settings

    set multicast-forward enable

    set multicast-ttl-notchange enable

end

config router multicast

    set multicast-routing disable

end

 

  1. Configure the relevant FortiGate interfaces:
  • The external interface: The FortiGate interface that connects to the TV Service Provider's router should receive its IP address via DHCP (the IP address should be assigned by the TV Service Provider's router), 'Retrieve default gateway from server' and 'Override internal DNS' should both be enabled.
  • The internal interface: The FortiGate interface that connects to the set-top box should have the 'DHCP Server' option enabled, and the DNS server option 'Same as System DNS' should be selected.

 

  1. Configure multicast and firewall policies.
  • One outbound multicast policy, allowing traffic from the set-top box interface towards the TV Service Provider's interface with SNAT enabled:
    • Incoming Interface: FortiGate Interface that connects to the set-top box.
    • Outgoing Interface: FortiGate Interface that connects to the TV Service Provider's router.
    • Source Address: All (use 'all' or use the set-top box IP address).
    • Destination Address: All.
    • SNAT enabled.
  • One inbound multicast policy, allowing traffic from the TV Service Provider's interface towards the set-top box interface with SNAT disabled:
    • Incoming Interface: FortiGate Interface that connects to the TV Service Provider's router.
    • Outgoing Interface: FortiGate Interface that connects to the set-top box,
    • Source Address: All.
    • Destination Address: All.
    • SNAT is not enabled.
  • One outbound firewall policy, allowing traffic from the set-top box interface towards the TV Service Provider's interface with SNAT enabled:
    • Incoming Interface: FortiGate Interface that connects to the set-top box,
    • Outgoing Interface: FortiGate Interface that connects to the TV Service Provider's router,
    • Source Address: All (use 'all' or use the set-top box IP address),
    • Destination Address: All.
    • NAT enabled.

 

Related article:

Technical Tip: FortiOS Multicast Resource List
    Terms & ConditionsAccessibility statement