Hello, I have a problem with multicast packets forwarding on Fortigate 60E v 6.0.10 in NAT mode. On WAN interface i see multicast, broadcast and ARP packets forwarded from Lan interface (internal1). I changed muticast settings on "config system setting" to "set muticast-forward disable", but it changed nothing. Settings of broadcast and netbios forwarding on LAN interface are also disabled. Even when i create multicast policies to drop any broadcast traffic, there are still unwanted packets on WAN interface. Is this kind of bug or there are other settings or policies to prevent that forwarding?
With reference to the packet captures, I see Fortigate interfaces are receving an NBNS queries from multiple downstream devices such as IntelCor_d2:df:16 (SMAC:80:00:0b:d2:df:16) on WAN2 interface, G-ProCom_49:ed:a1 (SMAC:00:23:24:49:ed:a1) on internal1 interface, etc..and it's getting dropped.
Basically, the NetBIOS Name Service (NBNS) is a component of the NetBIOS-over-TCP/IP (NBT/NetBT) protocol suite, which enables legacy computer programs that utilize the NetBIOS Application Programming Interface (API) to run on TCP/IP networks.
You may even use the following custom IPS signature to block NBNS traffic of type NBSTAT:
This signature would trigger if this type of NetBIOS packet is identified 5 times within a 20-second time frame. you can adjust the threshold as necessary. (Note that this signature might cause false positives)
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.