Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ellenluo
Staff
Staff

Created on ‎01-16-2015 02:24 PM Edited on ‎08-27-2025 10:22 AM By Moderator

Article Id 197533

Technical Tip: How to configure FortiGate forward broadcast

Description

 
This article describes how to configure FortiGate forward broadcast. In FortiGate, broadcast traffic is handled by a multicast policy instead of a normal firewall policy.

 

Scope

 

FortiGate.


Solution

 
By default, there is only a multicast address in 'config firewall multicast-address'. To allow a broadcast to pass through the FortiGate, configure a broadcast address and apply it to the multicast-policy.

config firewall multicast-address
    edit "all"
        set start-ip 224.0.0.0
        set end-ip 239.255.255.255
    next
end
 
Configuration:
  1. Configure broadcast forwarding on interface:
config system interface
    edit internal
        set broadcast-forward enable
    next
    edit wan1
        set broadcast-forward enable
    end

  1. Configure broadcast address:
config firewall multicast-address
    edit "allbroadcast"
        set type broadcastmask
        set subnet 255.255.255.255 255.255.255.255
end
  1. Configure multicast policy:
config firewall multicast-policy
    edit 1
        set srcintf "any"
        set dstintf "any"
        set srcaddr "all"
        set dstaddr "allbroadcast"
    next
end

 

It is important to know that on some broadcast services, the server will send the reply on a broadcast IP.
The above policy will allow both sessions:

  • The one from the client to the broadcast IP. For example:

 

DMZ_in 10.44.5.23.57 -> 255.255.255.255.57: udp 20
Broad_out 10.44.5.23.57 -> 255.255.255.255.57: udp 20

 

  • The other one for the server reply with a broadcast packet:

 

Broad_in 10.56.5.5.57 -> 255.255.255.255.57: udp 20
DMZ_out 10.56.5.5.57 -> 255.255.255.255.57: udp 20


Enable logging on the multicast policy to see the traffic logs under Log & Report -> Multicast Traffic.

 

Note: This configuration might have worked in earlier versions, but it is not supported in the latest releases (verified in 7.4.8). The explanation is as follows:

The broadcast-forward enable option is used to control direct broadcasts, not traffic destined for 255.255.255.255. Therefore, it is not possible to allow traffic to 255.255.255.255.
For example, if the DMZ interface is configured with the subnet 192.168.0.0/24, the directed broadcast address would be 192.168.0.255.

 

For a detailed explanation, see Troubleshooting Tip: FortiGate Operating in NAT Mode does not allow Broadcast Traffic destined to 25....

53279
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.