Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vponmuniraj
Staff
Staff

Created on ‎07-20-2022 08:10 AM Edited on ‎12-01-2025 09:48 PM By Community Manager

Article Id 218022

Technical Tip: Multicast DNAT in multicast forwarding mode

 

Description This article describes how to configure multicast Destination NAT (DNAT) when performing multicast traffic forwarding on the FortiGate.
Scope

FortiGate, Multicast.
Solution

Consider the following example topology, where an administrator needs to translate the original destination multicast group sent out by the Speaker (234.5.6.7) to a different multicast address before it is sent to the Receiver (234.5.6.8).

 

Multicast DNAT Topology.png

 

To do this, a multicast policy must be created that allows this direction of traffic (port6 -> port10 for destination address 234.5.6.7). A DNAT must be enabled within the multicast forwarding policy.

 

DNAT functionality must be configured via the CLI, and the DNAT address must be set directly in the multicast policy (as opposed to creating a Virtual IP object and assigning that to the policy). The following example demonstrates how to configure DNAT to meet the above administrator's requirements:

 

config firewall multicast-policy

edit 1

set name 'MCAST_Policy'
set srcintf 'port6'
set dstintf 'port10'
set srcaddr 'all'
set dstaddr 'net_234.5.6.7/32' <--- Address object that includes 234.5.6.7. Alternatively, use the 'all' object here.
set dnat 234.5.6.8 <--- Translated destination multicast address

next

end

 

The following is an example debug output after the above DNAT multicast policy was configured:

 

diagnose sys mcast-session list

session info: id=59946 vf=0 proto=17 10.141.0.10.8910->234.5.6.7.8910  <--- Original source & multicast group
used=2 path=1 duration=302 expire=179 indev=8 pkts=536 bytes=32160
state=00000000:
path: dnat ndaddr=234.5.6.8 policy=1, outdev=12 <--- Translated group
Total 1 sessions

 

diagnose sniffer packet any 'port 8910' 4 2 l
Using Original Sniffing Mode
interfaces=[any]
filters=[port 8910]
2022-07-20 20:31:41.309628 port6 in 10.141.0.10.8910 -> 234.5.6.7.8910: udp 32
2022-07-20 20:31:41.309677 port10 out 10.141.0.10.8910 -> 234.5.6.8.8910: udp 32  <--- Translated group IP sent out

 

Note regarding Multicast Source NAT (SNAT):

SNAT is also supported and configured via multicast policies, though it can be configured in both the CLI and also in the GUI. See also: Configuring multicast policies

 

config firewall multicast-policy

edit <id>

set snat [enable | disable] <----- Available in the GUI via the 'Enable SNAT' toggle.

set snat-ip <ip_address> <----- CLI only. Allows admin to specify SNAT address, rather than use outgoing interface IP.

next

end

 

1511
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.