FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
This article explains how to analyze and troubleshoot multicast sessions on a FortiGate using FortiOS 5.0 5.2 and 5.4. A new feature has been introduced in 5.4 to have a better overview of multicast sessions.  

Prior to FortiOS 5.4

FortiOS 5.0 and 5.2 do not have multicast session structure in the kernel, thus it is not possible to observe the multicast sessions.

There is actually a workaround on platforms which support multicast offloading (platform based on NP6, CE4, XE2, XG2 and XH0). Multicast traffic can be offloaded when the FortiGate participates in multicast routing, meaning that multicast-router has to be enabled.

In this case, the following command can be used to observe multicast sessions offloaded to the ASIC:
# diagnose ip multicast npu-session list
The output looks like:
vf=1, hash_index=2, iif/oif=39/42, in_vtag/out_vtag=32988/33988,0x0a010101(55334)-->0xef010101(60400):17 ==> 0x0a010101--> 0xef010101 expire=173
0x0a010101 is the source IP in hexadecimal =>
0xef010101 is the destination IP (multicast group) in hexadecimal =>
iif/oif=39/42 inbound interface index 39 ; outbound interface index 42 (use “diagnose netlink interface list” to find the interface name from the index)
expire=173 the session will be deleted in 173 seconds if no further packets match the session

In case of Source NAT applied in the multicast firewall policy:
vf=1, hash_index=2, iif/oif=39/42, in_vtag/out_vtag=32988/33988,0x0a010101(55334)-->0xef010101(60400):17 ==> 0x96010101--> 0xef010101 expire=178
0x96010101 is the source NAT IP in hexadecimal =>

Since FortiOS 5.4

FortiOS 5.4 has introduced a multicast session structure in the kernel, it is now possible to see a session even if it is not offloaded to the ASIC.

The command to display multicast sessions table is:
# diagnose sys mcast-session list
The output looks like :
vf=1 index=0 proto=17>
indev=68 act_num=1 duration=8 expire=179 pkts=840331 bytes=686550427
session-npu-info: offload=1  flags=0x00000001
ipid/vlifid=146/146 vlanid/vtag_in=2200/2200 in_npuid=1 tae_index=268 qid=0 fwd_map=0x00000000
act1: outdev=71 nsaddr=, ndaddr=
act-npu-info:  ipid/vlifid=146/146 vlanid/vtag_in=2200/2200 in_npu_id=1, out_npuid=1 epid=147 fwd=0 source IP destination IP
pkts=840331 bytes=686550427 packets and bytes counters
offload=1 this session is offloaded
indev=68 ingress interface
outdev=71 egress interface
nsaddr= source NAT IP
ndaddr= destination NAT IP, no DNAT here
vf=1 index=0 proto=17>
indev=68 act_num=1 duration=8 expire=171 pkts=0 bytes=0
session-npu-info: offload=0  flags=0x00000002
ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000
act1: outdev=71 nsaddr=, ndaddr=
act-npu-info:  ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npu_id=0, out_npuid=0 epid=0 fwd=0
offload=0 this session is not offloaded (no compatible ASIC or auto-asic-offload disable in the firewall multicast policy)