Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
mrasker42
New Contributor

Block or Disable IGMP

I have a customer who wants us to block or disable IGMP in their FortiGate 60E that is located on an internal and closed network. I have not worked with Fortinet/Fortigate before, so I please be patient. 

 

So I have Googled to find a solution and read up on ways to do this, but have so far not found a clear cut way to do it. Maybe someone here have already tried this and found a solution?

 

I have also come up with a few possible ways forward, but the lack of a lab and my inexperience with Fortinet/FortGate makes me a bit hesitant to try it "Live".

 

Below is my preferred alternative

config firewall multicast-policy
edit
set status enable
set logtraffic disable
set srcintf "all"
set dstintf "all"
set srcaddr "all"
set dstaddr "all"
set snat disable
set action deny
set protocol 2
set start-port 0
set end-port 0
set auto-asic-offload disable
next
end

 

But maybe this is a better way to do it?

config router multicast
     multicast-routing disable
end

 

Thank you in advance for any assistance. I do appreciate it

 

3 REPLIES 3
Benoit_Rech_FTNT

Hello,

By default, IGMP has a TTL of 1, which means it will not be routed by the Fortigate. Moreover, IGMP is not enabled by default on the Fortigate, you have to enable it on each interface which should participate to multicast. For me, there is nothing special to configure on the Fortigate to achieve what is requested.

If you want to prevent that the Fortigate answered to requests send to the Fortigate, then the best is to use local-in-policy. You can follow this example about how to configure local-in policies. https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD48899 Best regards, Benoit

mrasker42

HI,

 

Thank you for your answer. 

 

The thing is that my customer have recently started to have another company collect trace information and they are the ones that claim that they get IGMP from the network that is below this/my 60E. Their network is not only upstream from this 60E, it si in fact even upstream from yet another FortiGate. So there are actually two FortiGates between "my" network and "their" network. I have also read that FortiGates by default route IGMP, so I am guessing this is regardless of the number of hops

 

We have most probably located the Host that is the source of the IGMP traffic, but have yet to figure out what on that Host that is the culprit. If we can figure out what is using IGMP on that Host, I guessing we do not have to Block the entire protocol. But until we have figured that out, I still would like to pursue how to block IGMP in FortiGates.

 

Thank you also for the link. I have seen that page and maybe it is just my lack of understanding of the FortGate, but I fail to understand how I using the information on this page can block an entire Protocol. Maybe you or someone else can be of any assistance?

 

Do you or anyone else have any comments on either of my previously mentioned ways of blocking IGMP?

Benoit_Rech_FTNT

Hello,

Create IGMP "service":

config firewall service custom
edit "IGMP"
set protocol IP
set comment "IGMP"
set protocol-number 2
next
end

and then the local policy

config firewall local-in-policy
edit 0
set intf "dmz"
set srcaddr "all"
set dstaddr "all"
set service "IGMP"
set schedule "always"
next
end

Hope this help

Benoit