I ran into an issue here:
I have a zone with several members.
Now I need multicast forwarding for airprint between two members of that zone.
intra-zone-traffic is blocked (per default) which is wanted that way.
So any traffic has to be explicitely allowed by a policy.
Now I cannot create a multicast policy for that because of the zone. In multicast policy only the zone is available not its members.
So even mlticast policies from interfaces that are not member of the zone can only have the zone as source or destination interface. I consider this a security risk.
Does anyone have some tip how one can do intra-zone multicast forwarding then?
I additionaly have openend a ticket with TAC on this too
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
You can check this article to enable multi cast forwarding and to prevent changing multcast ttl value
yeah that describes the way one usually achieves that with :)
But that does not work for zone members. It woukd only work for the zone itself
plus it does not work intra-zone because of identical source and destination iface since one can only select the zone.
Its a fail-by-design here and also creates security risks....
TAC have confirmed that indeed both FortiManager and FortiGate do lack this feature.
They told us to open a NFR on that probably.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2022 Fortinet, Inc. All Rights Reserved.