I have a customer who wants us to block or disable IGMP in their FortiGate 60E that is located on an internal and closed network. I have not worked with Fortinet/Fortigate before, so I please be patient.
So I have Googled to find a solution and read up on ways to do this, but have so far not found a clear cut way to do it. Maybe someone here have already tried this and found a solution?
I have also come up with a few possible ways forward, but the lack of a lab and my inexperience with Fortinet/FortGate makes me a bit hesitant to try it "Live".
Below is my preferred alternative
config firewall multicast-policy
edit
set status enable
set logtraffic disable
set srcintf "all"
set dstintf "all"
set srcaddr "all"
set dstaddr "all"
set snat disable
set action deny
set protocol 2
set start-port 0
set end-port 0
set auto-asic-offload disable
next
end
But maybe this is a better way to do it?
config router multicast
multicast-routing disable
end
Thank you in advance for any assistance. I do appreciate it
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
By default, IGMP has a TTL of 1, which means it will not be routed by the Fortigate. Moreover, IGMP is not enabled by default on the Fortigate, you have to enable it on each interface which should participate to multicast. For me, there is nothing special to configure on the Fortigate to achieve what is requested.
If you want to prevent that the Fortigate answered to requests send to the Fortigate, then the best is to use local-in-policy. You can follow this example about how to configure local-in policies. https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD48899 Best regards, Benoit
HI,
Thank you for your answer.
The thing is that my customer have recently started to have another company collect trace information and they are the ones that claim that they get IGMP from the network that is below this/my 60E. Their network is not only upstream from this 60E, it si in fact even upstream from yet another FortiGate. So there are actually two FortiGates between "my" network and "their" network. I have also read that FortiGates by default route IGMP, so I am guessing this is regardless of the number of hops
We have most probably located the Host that is the source of the IGMP traffic, but have yet to figure out what on that Host that is the culprit. If we can figure out what is using IGMP on that Host, I guessing we do not have to Block the entire protocol. But until we have figured that out, I still would like to pursue how to block IGMP in FortiGates.
Thank you also for the link. I have seen that page and maybe it is just my lack of understanding of the FortGate, but I fail to understand how I using the information on this page can block an entire Protocol. Maybe you or someone else can be of any assistance?
Do you or anyone else have any comments on either of my previously mentioned ways of blocking IGMP?
Hello,
Create IGMP "service":
config firewall service custom
edit "IGMP"
set protocol IP
set comment "IGMP"
set protocol-number 2
next
end
and then the local policy
config firewall local-in-policy
edit 0
set intf "dmz"
set srcaddr "all"
set dstaddr "all"
set service "IGMP"
set schedule "always"
next
end
Hope this help
Benoit
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.