Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
PeterCMU
New Contributor II

Multicast forwards to wan interface

Hello,
I have a problem with multicast packets forwarding on Fortigate 60E v 6.0.10 in NAT mode. On WAN interface i see multicast, broadcast and ARP packets forwarded from Lan interface (internal1). I changed muticast settings on "config system setting" to "set muticast-forward disable", but it changed nothing. Settings of broadcast and netbios forwarding on LAN interface are also disabled. Even when i create multicast policies to drop any broadcast traffic, there are still unwanted packets on WAN interface. Is this kind of bug or there are other settings or policies to prevent that forwarding?

5 REPLIES 5
akileshc
Staff
Staff

Hello,
It is preferable to understand the traffic flow before implementing any policy to block it; you can upload a packet flow sample and, if possible, sniffer logs.

# di sniffer packet any "host x.x.x.x" 6 0 l 
Replace x.x.x.x with the IP address of the Multicast Group.

PeterCMU
New Contributor II

Current settings:

muticast-forward disable

all mullticast policies disabled

 

Traffic flow below (filter: addr 192.168.15.255 - broadcast on internal1 interface)

Spoiler

 

Sniffer result below (di sniffer packet any "host 192.168.15.255" 6 100 l)

Spoiler

 

 

 

akileshc

Hi Peter,

 

With reference to the packet captures, I see Fortigate interfaces are receving an NBNS queries from multiple downstream devices
such as IntelCor_d2:df:16 (SMAC:80:00:0b:d2:df:16) on WAN2 interface, G-ProCom_49:ed:a1 (SMAC:00:23:24:49:ed:a1) on internal1 interface, etc..and it's getting dropped.

 

Basically, the NetBIOS Name Service (NBNS) is a component of the NetBIOS-over-TCP/IP (NBT/NetBT) protocol suite,
which enables legacy computer programs that utilize the NetBIOS Application Programming Interface (API) to run on TCP/IP networks.

 

 

You may even use the following custom IPS signature to block NBNS traffic of type NBSTAT:

 

F-SBID( --name "NetBIOS.Name.Service.NBSTAT.Scan.Custom"; --protocol udp; --flow from_client; --dst_port 137; --data_size =50; --pattern "|00 10 00 01|"; --context packet; --distance 2,context; --within 4,context; --pattern "|20434b4141414141|"; --context packet; --distance 6; --within 8; --rate 5,20; --track src_ip;)
The "--rate 5,20"

 

This signature would trigger if this type of NetBIOS packet is identified 5 times within a 20-second time frame.
you can adjust the threshold as necessary. (Note that this signature might cause false positives)

PeterCMU
New Contributor II

Thank You, I will try this

PeterCMU
New Contributor II

Problem solved. My switch VLAN configuration has reset to defaults, and after reconfiguration it works properly. Thanks