Technical Tip: Workaround to allow the multicast traffic to flow between the member interface of the same zone.

This article speaks about the workaround to allow the multicast traffic to flow between the member interface of the same zone.

Basically, when the Multicast interfaces are members of the same Zone then there are below two limitations to configure.

1) Cannot keep zone member interfaces as srcintf  & dstintf in multicast policy.

2) If the same zone will be used instead of zone members as srcintf  & dstintf in the multicast policy then all the other members which are not interested in Multicast traffic will unnecessarily receive the stream.

FortiGate v6.0,  v6.2, v6.4, v7.0

If there is a design that needs the multicast traffic to flow between the members of the same Zone then it is possible to apply the below workaround.

- 'port1' and 'port2' want to forward the multicast traffic. 'port3' does not belong to the multicast.

- Set 'intrazone allow' in the zone.

#config system zone

#edit "Multicast-Zone"

#set intrazone allow

#set interface "port1" "port2" “port3”

#next

#end

- Configure the source and destination interface as 'any' and restrict the traffic using the multicast address.

#config firewall multicast-policy

#edit 1

#set logtraffic enable
#set srcintf "any"
#set dstintf "any"
#set srcaddr <Source-Prefix-for-Port1>
#set dstaddr <Destination-Prefix-for-Port2>

#next
#edit 2

#set logtraffic enable
#set srcintf "any"
#set dstintf "any"
#set srcaddr <Source-Prefix-for-Port2>
#set dstaddr <Destination-Prefix-for-Port1>

#end

Note: 

It is only possible to add multicast address object as ‘destination’ in these policies though We do not have any restrictions on selecting source address.