Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
sdabhade
Staff
Staff

Created on ‎01-28-2022 10:13 AM Edited on ‎12-18-2025 05:05 AM By Community Manager

Article Id 203905

Technical Tip: Workaround to allow the multicast traffic to flow between the member interface of the same zone.

Description

This article describes a workaround for enabling multicast traffic flow between member interfaces within the same zone.

When multicast interfaces are part of the same zone, the following configuration limitations arise:

  1. It is not possible to designate specific zone member interfaces as source or destination interfaces within a multicast policy.
  2. It is not possible to define the same zone as source and destination interface ('srcintf' and 'dstintf' must be different in the multicast policy).
  3. If the entire zone is used instead of specific zone members for 'srcintf' or 'dstintf' in the multicast policy, all other member interfaces not requiring multicast traffic will unnecessarily receive the stream.
Scope

FortiGate v6.0, v6.2, v6.4, and v7.0.
Solution

If there is a design that needs the multicast traffic to flow between the members of the same Zone, then it is possible to apply the workaround below.

 

  • 'port1' and 'port2' want to forward the multicast traffic. 'port3' does not belong to the multicast.
  • Set 'intrazone allow' in the zone.

 

config system zone

    edit "Multicast-Zone"

        set intrazone allow

        set interface "port1" "port2" “port3”

    next

end

 

  • Configure the source and destination interface as 'any' and restrict the traffic using the multicast address.


config firewall multicast-policy

    edit 1

        set logtraffic enable

        set srcintf "any"
        set dstintf "any"
        set srcaddr <Source-Prefix-for-Port1>
        set dstaddr <Destination-Prefix-for-Port2>

    next

    edit 2

        set logtraffic enable

        set srcintf "any"

        set dstintf "any"

        set srcaddr <Source-Prefix-for-Port2>

        set dstaddr <Destination-Prefix-for-Port1>

end

 

Kush_Patel_0-1671198996301.png

 

Note: 

It is only possible to add a multicast address object as ‘destination’ in these policies, though there are no restrictions on selecting the source address.

 

Kush_Patel_2-1671199043587.png

 

Useful commands:

 

Putty1:

 

get router info multicast tablecount
get router info multicast table
get router info multicast pim sparsemode table <multicastgroup>
diagnose ip multicast mroute
diagnose ip multicast vif
diagnose ip rtcache list | grep <multicastgroup>
get router info routing all
get router info multicast pim sparsemode interface
get router info multicast pim sparsemode neighbor
get router info multicast pim sparsemode rpmapping
get router info multicast pim sparsemode nexthop

 

Putty2:

 

diagnose sniffer packet any 'host <multicastgroup>' 6 0 a

 

Use Ctrl+C to stop the logs.
Labels:
4643
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.