- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Multicast forwards to wan interface
Hello,
I have a problem with multicast packets forwarding on Fortigate 60E v 6.0.10 in NAT mode. On WAN interface i see multicast, broadcast and ARP packets forwarded from Lan interface (internal1). I changed muticast settings on "config system setting" to "set muticast-forward disable", but it changed nothing. Settings of broadcast and netbios forwarding on LAN interface are also disabled. Even when i create multicast policies to drop any broadcast traffic, there are still unwanted packets on WAN interface. Is this kind of bug or there are other settings or policies to prevent that forwarding?
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
It is preferable to understand the traffic flow before implementing any policy to block it; you can upload a packet flow sample and, if possible, sniffer logs.
# di sniffer packet any "host x.x.x.x" 6 0 l
Replace x.x.x.x with the IP address of the Multicast Group.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Current settings:
muticast-forward disable
all mullticast policies disabled
Traffic flow below (filter: addr 192.168.15.255 - broadcast on internal1 interface)
Sniffer result below (di sniffer packet any "host 192.168.15.255" 6 100 l)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Peter,
With reference to the packet captures, I see Fortigate interfaces are receving an NBNS queries from multiple downstream devices
such as IntelCor_d2:df:16 (SMAC:80:00:0b:d2:df:16) on WAN2 interface, G-ProCom_49:ed:a1 (SMAC:00:23:24:49:ed:a1) on internal1 interface, etc..and it's getting dropped.
Basically, the NetBIOS Name Service (NBNS) is a component of the NetBIOS-over-TCP/IP (NBT/NetBT) protocol suite,
which enables legacy computer programs that utilize the NetBIOS Application Programming Interface (API) to run on TCP/IP networks.
You may even use the following custom IPS signature to block NBNS traffic of type NBSTAT:
F-SBID( --name "NetBIOS.Name.Service.NBSTAT.Scan.Custom"; --protocol udp; --flow from_client; --dst_port 137; --data_size =50; --pattern "|00 10 00 01|"; --context packet; --distance 2,context; --within 4,context; --pattern "|20434b4141414141|"; --context packet; --distance 6; --within 8; --rate 5,20; --track src_ip;)
The "--rate 5,20"
This signature would trigger if this type of NetBIOS packet is identified 5 times within a 20-second time frame.
you can adjust the threshold as necessary. (Note that this signature might cause false positives)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank You, I will try this
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem solved. My switch VLAN configuration has reset to defaults, and after reconfiguration it works properly. Thanks