Multicast forwards to wan interface

Forum|Forum|4 years ago
January 8, 2022
2 replies
6062 views

Hello,
I have a problem with multicast packets forwarding on Fortigate 60E v 6.0.10 in NAT mode. On WAN interface i see multicast, broadcast and ARP packets forwarded from Lan interface (internal1). I changed muticast settings on "config system setting" to "set muticast-forward disable", but it changed nothing. Settings of broadcast and netbios forwarding on LAN interface are also disabled. Even when i create multicast policies to drop any broadcast traffic, there are still unwanted packets on WAN interface. Is this kind of bug or there are other settings or policies to prevent that forwarding?

FortiGate

akileshc

Staff

Hello,
It is preferable to understand the traffic flow before implementing any policy to block it; you can upload a packet flow sample and, if possible, sniffer logs.

# di sniffer packet any "host x.x.x.x" 6 0 l
Replace x.x.x.x with the IP address of the Multicast Group.

PeterCMUAuthor

New Member

Current settings:

muticast-forward disable

all mullticast policies disabled

Traffic flow below (filter: addr 192.168.15.255 - broadcast on internal1 interface)

Spoiler

https://pastecode.io/s/5tfjg3hw

Sniffer result below (di sniffer packet any "host 192.168.15.255" 6 100 l)

Spoiler

https://pastecode.io/s/9qkrn9oe

akileshc

Staff

Hi Peter,

With reference to the packet captures, I see Fortigate interfaces are receving an NBNS queries from multiple downstream devices
such as IntelCor_d2:df:16 (SMAC:80:00:0b:d2:df:16) on WAN2 interface, G-ProCom_49:ed:a1 (SMAC:00:23:24:49:ed:a1) on internal1 interface, etc..and it's getting dropped.

Basically, the NetBIOS Name Service (NBNS) is a component of the NetBIOS-over-TCP/IP (NBT/NetBT) protocol suite,
which enables legacy computer programs that utilize the NetBIOS Application Programming Interface (API) to run on TCP/IP networks.

You may even use the following custom IPS signature to block NBNS traffic of type NBSTAT:

F-SBID( --name "NetBIOS.Name.Service.NBSTAT.Scan.Custom"; --protocol udp; --flow from_client; --dst_port 137; --data_size =50; --pattern "|00 10 00 01|"; --context packet; --distance 2,context; --within 4,context; --pattern "|20434b4141414141|"; --context packet; --distance 6; --within 8; --rate 5,20; --track src_ip;)
The "--rate 5,20"

This signature would trigger if this type of NetBIOS packet is identified 5 times within a 20-second time frame.
you can adjust the threshold as necessary. (Note that this signature might cause false positives)

WAN2(in).PNG

Internal1(in).PNG