FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nalexiou
Staff
Staff
Article Id 202163
Description

This article describes how to configure multicast policies between interfaces that are members of the same zone.

Scope

FortiGate.

Solution

In FortiGate, a multicast policy is a configuration that controls the forwarding of multicast traffic. Multicast traffic is a type of communication where a single source sends data to multiple specified recipients simultaneously, but without broadcasting the data to all devices in the network. It's commonly used in scenarios like video conferencing, IPTV broadcasting, and other applications that require data to be sent to multiple recipients concurrently.

The multicast policy in FortiGate performs several key functions:

  1. Source and Destination Control: Determines which multicast sources (senders) can send traffic to which multicast groups (recipients).

  2. Interface Control: Specifies which incoming (ingress) and outgoing (egress) interfaces the multicast traffic is allowed or denied on.

  3. Security Profiles: Similar to regular security policies in FortiGate, you can apply security profiles to a multicast policy. This allows the firewall to inspect the multicast traffic for threats or to enforce content filtering.

  4. Traffic Shaping: Multicast policies can also have traffic-shaping policies applied to control the bandwidth utilized by multicast traffic.

  5. Logging and Monitoring: Just like unicast traffic policies, multicast policies can be set to log traffic, allowing administrators to monitor and audit the multicast traffic that traverses the FortiGate appliance.

 

Configure 'set intrazone allow' on the zone.

 

config system zon
    edit <zone>
        set intrazone allow
    next
end

 

Configure a multicast policy and use the source and destination interfaces as 'any', restricting the traffic using the source and destination address.

 

config firewall multicast-polic

    edit <>

        set logtraffic enable

        set srcintf "any"

        set dstintf "any"

        set srcaddr <SOURCE PREFIX>

        set dstaddr <DESTINATION PREFIX>

end

 

Note: 

It is important to note that a multicast policy in FortiGate does not replace the need for proper multicast routing and group management configurations (like IGMP for group membership and PIM for multicast routing). Instead, the multicast policy works in conjunction with these protocols to provide a layer of security and control over the multicast traffic as it traverses the FortiGate appliance.