FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 194719


This article describes that multicast forwarding is used to forward multicast packets between multicast routers and receivers, enabling efficient distribution of data to multiple recipients simultaneously. Applications and services that involve real-time streaming, multimedia content delivery, audio/video conferencing, IPTV, online gaming, and content distribution networks (CDNs) often rely on multicast forwarding to efficiently distribute data to multiple recipients. This knowledge article explains how to forward multicast traffic on a FortiGate device. 
Note: Enabling both Multicast Forwarding and Routing simultaneously on the same device or VDOM is not recommended. In the case of multicast traffic, Multicast Forwarding should be enabled when the FortiGate is operating in NAT mode and the objective is to forward multicast packets between multicast routers and receivers. However, it is not advisable to enable Multicast Forwarding when the FortiGate itself is functioning as a multicast router or participating in a routing protocol that utilizes multicast.




It is assumed that multicast traffic needs to be allowed from Port1 to Port2.


Step 1: 
Enabling multicast forwarding
By default, Multicast Forwarding is enabled on FortiGate devices and the multicast-forward setting must be used to enable or disable multicast forwarding.

Enable multicast forwarding from CLI using the following commands:
config system setting
    set multicast-forward enable
Prevent the TTL for forwarded packets from being changed
To preserve TTL values for forwarded multicast packets, use the multicast-ttl-notchange option. Enable it only if packets expire prematurely before reaching the multicast router.

config system settings
    set multicast-ttl-notchange enable
Step 2:  
Configure multicast policy for source and destination.
This multicast policy only applies to the source interface port1 and the destination interface port2.


From GUI:

Navigate to Policy & Objects -> Multicast -> Create New. Select the source and destination interface with the source and destination IP address.
Note: If the Multicast tab is not seen then navigate to System -> Config -> Features.  Enable Multicast policy to get it on the GUI (image attached).
From CLI:
config firewall multicast-policy
    edit 1
        set srcintf  port1
        set dstintf  port2
        set srcaddr  all
        set dstaddr  all