Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sandeep_FTNT
Staff
Staff

Created on ‎04-24-2015 03:43 AM Edited on ‎01-08-2026 12:52 AM By Community Manager

Article Id 194719

Technical Tip: Forwarding multicast traffic in NAT mode

Description
This article describes how to configure multicast traffic forwarding on a FortiGate. Multicast enables the efficient delivery of data to multiple recipients simultaneously using a single transmission stream. Multicast is commonly used in applications such as real-time video/audio streaming and IPTV.  This feature allows forwarding multicast streams statically between the FortiGate interfaces from the multicast routers and sources to the multicast receivers; however, it is not intended for routing multicast traffic using dynamic multicast routing protocols.
 
Note: Enabling both multicast forwarding and multicast routing simultaneously on the same device or VDOM is not recommended. Multicast forwarding treats the traffic statically, while routing uses dynamic protocol decisions such as reverse path forwarding (RPF) checks.
Scope FortiGate allows multicast flow from a multicast router or source at port2 to a multicast receiver at port1.
Solution
Step 1: 
Enabling multicast forwarding.
By default, Multicast Forwarding is enabled on FortiGate devices, and the multicast-forward setting must be used to enable or disable multicast forwarding.

Enable multicast forwarding from the CLI using the following commands:
 
config system setting
    set multicast-forward enable
end
 
Prevent the TTL for forwarded packets from being changed.
 
To preserve TTL values for forwarded multicast packets, use the multicast-ttl-notchange option. Enable it only if packets expire prematurely before reaching the multicast router.

config system settings
    set multicast-ttl-notchange enable
end
 
Step 2:  
Configure the multicast policy.

In a multicast policy, the source interface refers to the interface where the multicast receiver—such as an IPTV box—is located, while the destination interface is where the multicast router or source resides. The multicast group(s) are selected in the destination field.
 
From the GUI:
Navigate to Policy & Objects -> Multicast Policy -> Create New. Select the source and destination interfaces with the source and destination IP addresses.
Note: If the Multicast tab is not seen, then navigate to System -> Feature Visibility, and enable Multicast Policy.
 
Screenshot 2025-05-12 201245.png

 

From the CLI:
 
config firewall multicast-policy
    edit 1
        set srcintf  port1
        set dstintf  port2
        set srcaddr  all
        set dstaddr  all
    next
end
 

Note:
If the destination is all, it means all multicast addresses in the range 224.0.0.0-239.255.255.255.
If both interface and addr are set to any or all in the multicast-policy, flooding can occur on all interfaces except the receiving interface.


Be aware that flooding can increase sessions and resources.
Preview file
171 KB
24262
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.