Technical Tip: Workaround to allow the multicast traffic to flow between the member interface of the same zone.

This article describes a workaround for enabling multicast traffic flow between member interfaces within the same zone.

When multicast interfaces are part of the same zone, the following configuration limitations arise:

1. It is not possible to designate specific zone member interfaces as source or destination interfaces within a multicast policy.
2. It is not possible to define the same zone as source and destination interface ('srcintf' and 'dstintf' must be different in the multicast policy).
3. If the entire zone is used instead of specific zone members for 'srcintf' or 'dstintf' in the multicast policy, all other member interfaces not requiring multicast traffic will unnecessarily receive the stream.

FortiGate v6.0, v6.2, v6.4, and v7.0.

If there is a design that needs the multicast traffic to flow between the members of the same Zone, then it is possible to apply the workaround below.

• 'port1' and 'port2' want to forward the multicast traffic. 'port3' does not belong to the multicast.
• Set 'intrazone allow' in the zone.

config system zone

    edit "Multicast-Zone"

        set intrazone allow

        set interface "port1" "port2" “port3”

    next

end

• Configure the source and destination interface as 'any' and restrict the traffic using the multicast address.

config firewall multicast-policy

    edit 1

        set logtraffic enable

        set srcintf "any"
        set dstintf "any"
        set srcaddr <Source-Prefix-for-Port1>
        set dstaddr <Destination-Prefix-for-Port2>

    next

    edit 2

        set logtraffic enable

        set srcintf "any"

        set dstintf "any"

        set srcaddr <Source-Prefix-for-Port2>

        set dstaddr <Destination-Prefix-for-Port1>

end

Note: 

It is only possible to add a multicast address object as ‘destination’ in these policies, though there are no restrictions on selecting the source address.

Useful commands:

Putty1:

get router info multicast tablecount
get router info multicast table
get router info multicast pim sparsemode table <multicastgroup>
diagnose ip multicast mroute
diagnose ip multicast vif
diagnose ip rtcache list | grep <multicastgroup>
get router info routing all
get router info multicast pim sparsemode interface
get router info multicast pim sparsemode neighbor
get router info multicast pim sparsemode rpmapping
get router info multicast pim sparsemode nexthop

Putty2:

diagnose sniffer packet any 'host <multicastgroup>' 6 0 a

Use Ctrl+C to stop the logs.