Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff & Editor
Staff & Editor

Created on ‎01-09-2025 08:08 AM Edited on ‎06-26-2025 12:34 AM By Moderator

Article Id 369157

Technical Tip: Difference between multicast forwarding and multicast routing

Description This article describes the difference in multicast policy configuration when using multicast forwarding versus multicast routing.
Scope FortiGate configured with multicast forwarding or multicast routing.
Solution

Multicast forwarding:

Multicast forwarding is a feature that allows multicast packets to be efficiently distributed between multicast routers and receivers directly connected to the FortiGate. Once a multicast forwarding policy is configured, the FortiGate sends an IGMP Membership Query, which enables it to receive IGMP Membership Reports. IGMP Membership Reports are sent by the hosts that want to receive the multicast traffic (multicast receivers). Multicast forwarding is enabled by default, and it only requires a multicast policy to allow the traffic. The policy direction is from the interface facing the receiver to the interface facing the source, with the source IP being the receiver IP. Multicast forwarding is useful with simple setups where the multicast source and receiver are directly connected to the same FortiGate, and a multicast routing protocols are not used.

 

Untitled Diagram - 01.drawio.png

 

Multicast forwarding policy configuration:

 

config system settings

    set multicast-forward enable

end

 

config router multicast

    set multicast-routing disable

end

 

config firewall multicast-policy
    edit 1
        set name "multicast_forwarding"
        set srcintf "port1" <-- Receiver facing interface
        set dstintf "port2" <-- Source facing interface
        set srcaddr "PC1"
        set dstaddr "multicast_group"
    next

end


Multicast routing:

Multicast routing involves multicast routing protocols such as PIM sparse-mode and PIM dense-mode. This feature allows more control over multicast traffic, which is useful in more complex setups. Enabling multicast routing will automatically disable multicast forwarding even if it was enabled in the settings. Multicast routing policies differ from multicast forwarding policies in policy direction and source address, as seen in the example below. To verify the multicast forwarding status, the command diagnose sys vd list can be used. The example configuration below is for PIM dense-mode. The multicast policy configuration is the same for PIM sparse-mode.

 

Untitled Diagram - 02.drawio.png

 

Multicast routing policy configuration (FGT-01):

 

config system settings

    set multicast-forward disable

end

 

config router multicast

    set multicast-routing enable

        config interface

            edit "port1"

                set pim-mode dense-mode

                set passive enable

            next

            edit "port2"

                set pim-mode dense-mode

            next

        end

end

 

config firewall multicast-policy
    edit 1
        set name "multicast_routing"
        set srcintf "port2" <-- Source facing interface
        set dstintf "port1" <-- Receiver facing interface
        set srcaddr "PC2"
        set dstaddr "multicast_group"
    next

end

 

Multicast routing policy configuration (FGT-02):

 

config system settings

    set multicast-forward disable

end

 

config router multicast

    set multicast-routing enable

        config interface

            edit "port1"

                set pim-mode dense-mode

            next

            edit "port2"

                set pim-mode dense-mode

                set passive enable

            next

        end

end

 

config firewall multicast-policy
    edit 1
        set name "multicast_routing"
        set srcintf "port2" <-- Source facing interface
        set dstintf "port1" <-- Receiver facing interface
        set srcaddr "PC2"
        set dstaddr "multicast_group"
    next

end

 

To verify the multicast forwarding status:

 

FGT-01 # diagnose sys vd list
system fib version=154
list virtual firewall info:
name=root/root index=0 enabled fib_ver=0 rpdb_ver=0 use=35 rt_num=9 asym_rt=0 sip_helper=0, sip_nat_trace=1, mc_fwd=0, mc_ttl_nc=0, tpmc_sk_pl=0
ecmp=source-ip-based, ecmp6=source-ip-based asym_rt6=0 rt6_num=10 strict_src_check=0 dns_log=1 ses_num=14 ses6_num=1 pkt_num=8939167
tree_flag=1 tree6_flag=1 traffic_log=1 extended_traffic_log=0
deny_tcp_with_icmp=0 ses_denied_traffic=no mc_ses_denied_traffic=no tcp_no_syn_check=0 central_nat=0 policy_mode_ngfw=0 block_land_attack=0 link_check_local_in=0
gtp_asym_fgsp=no
fw_session_hairpin=no keep-PRP-trailer=0 auxiliary_ses=0 dup_num=2
ipv4_rate=0, ipv6_rate=0, mcast6-PMTU=0, allow_linkdown_path=0
per_policy_disclaimer=0 pcp=0
1230
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.