Technical Tip: Applying access-List on multicast traffic

alif · ‎08-16-2020

Description
This article describes how to configure access list on multicast traffic traversing via FortiGate.

Solution
If there is no access-group configured for multicast traffic, all streams will be allowed to reach FortiGate.
In order to allow specific networks to join multicast groups, an access-list is configured and applied to an inbound interface.

An access list has been configured which allows only two IP addresses.

# config router access-list
    edit "IGMP_allowed”
        # config rule
            edit 1
                set prefix 224.1.1.1 255.255.255.255
            next
            edit 2
                set prefix 239.239.0.1 255.255.255.255
            next
edit 3
                set prefix 0.0.0.0 0.0.0.0
set action deny
        end
    next
end

There is no implicit deny at the end of an access list.
In order to allow traffic for specific IP address/subnet, a default entry is created with the ‘deny’ action.
The access list has to be applied to the specific interface.

# config router multicast
    set multicast-routing enable
    # config interface
        edit "port1"
            set pim-mode sparse-mode
            # config igmp
                set access-group "IGMP_allowed"
            end
        next
    end
end

Useful Links:

CLI Reference: https://docs.fortinet.com/document/fortigate/6.0.0/cli-reference/741750/router-multicast
Multicast processing and basic multicast policy: https://docs.fortinet.com/document/fortigate/6.2.0/cookbook/968606/multicast-processing-and-basic-mu...
Multicast forwarding on FortiGate: https://docs.fortinet.com/document/fortigate/6.0.0/handbook/289647/multicast-forwarding

Technical Tip: Applying access-List on multicast traffic

You are leaving our website