Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
sw2090
Honored Contributor

Intra-Zone Multicasting

I ran into an issue here:

 

I have a zone with several members.

Now I need multicast forwarding for airprint between two members of that zone.

intra-zone-traffic is blocked (per default) which is wanted that way.

So any traffic has to be explicitely allowed by a policy.

 

Now I cannot create a multicast policy for that because of the zone. In multicast policy only the zone is available  not its members. 

So even mlticast policies from interfaces that are not member of the zone can only have the zone as source or destination interface. I consider this a security risk.

 

Does anyone have some tip how one can do intra-zone multicast forwarding then?

I additionaly have openend a ticket with TAC on this too


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

3 REPLIES 3
seshuganesh
Staff
Staff

Hi Team,

 

You can check this article to enable multi cast forwarding and to prevent changing multcast ttl value

https://docs.fortinet.com/document/fortigate/7.2.0/administration-guide/968606/configuring-multicast...

 

sw2090
Honored Contributor

yeah that describes the way one usually achieves that with :)

But that does not work for zone members. It woukd only work for the zone itself 

plus it does not work intra-zone because of identical source and destination iface since one can only select the zone.

 

Its a fail-by-design here and also creates security risks....


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

sw2090
Honored Contributor

TAC have confirmed that indeed both FortiManager and FortiGate do lack this feature.

They told us to open a NFR on that probably.


-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams