This article addresses a workaround for enabling multicast traffic flow between member interfaces within the same zone.

When multicast interfaces are part of the same zone, the following configuration limitations arise:

1. It is not possible to designate specific zone member interfaces as source or destination interfaces within a multicast policy.
2. It is not possible to define the same zone as source and destination interface ('srcintf' and 'dstintf' must be different in the multicast policy)
3. If the entire zone is used instead of specific zone members for 'srcintf' or  'dstintf' in the multicast policy, all other member interfaces not requiring multicast traffic will unnecessarily receive the stream.

FortiGate v6.0,  v6.2, v6.4, v7.0

If there is a design that needs the multicast traffic to flow between the members of the same Zone then it is possible to apply the below workaround.

• 'port1' and 'port2' want to forward the multicast traffic. 'port3' does not belong to the multicast.
• Set 'intrazone allow' in the zone.

config system zone

edit "Multicast-Zone"

    set intrazone allow

    set interface "port1" "port2" “port3”

next

end

• Configure the source and destination interface as 'any' and restrict the traffic using the multicast address.

config firewall multicast-policy

    edit 1

        set logtraffic enable

        set srcintf "any"
        set dstintf "any"
        set srcaddr <Source-Prefix-for-Port1>
        set dstaddr <Destination-Prefix-for-Port2>

    next

    edit 2

        set logtraffic enable

        set srcintf "any"

        set dstintf "any"

        set srcaddr <Source-Prefix-for-Port2>

        set dstaddr <Destination-Prefix-for-Port1>

end

Note: 

It is only possible to add multicast address object as ‘destination’ in these policies, though there are no restrictions on selecting source address.