Multicast processing and basic Multicast policy
You need to add firewall policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. Similar to firewall policies, in a multicast policy, the administrator specifies the source interface, destination interfaces, the allowed source address ranges, and destination addresses of the multicast traffic. You can also use multicast policies to configure source NAT and destination NAT for multicast packets.
Multicast forwarding in NAT mode
When multicast-forward is enabled, the FortiGate forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header is reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add multicast policies to allow multicast packets through the FortiGate.
If multicast-forward is disabled, then FortiGate unit drops packets that have multicast source or destination addresses.
In NAT mode, there is a per-VDOM configuration to disable forwarding any multicast traffic. This command is only available in NAT mode.
config system settings set multicast-forward <disable|enable(default)>
end
You can also use the multicast-ttl-notchange option so that FortiGate doesn’t increase the TTL value for forwarded multicast packets. Use this option only if packets are expiring before reaching the multicast router.
config system settings
set multicast-ttl-notchange enable end
Multicast processing in TP mode
When multicast-skip-policy is enabled, no check is performed based on multicast policy. A multicast packet received on an interface is flooded unconditionally to all interfaces (except the incoming interface) belonging to the same forwarding domain. Multicast packets are forwarded even when there is no multicast policy or the multicast policy is set to deny. To forward multicast traffic based on multicast policy, multicast-skip-policy must be disabled.
In transparent mode, there is a per-VDOM configuration to skip policy check and forward all multicast traffics. This command is only available in transparent mode.
config system settings set multicast-skip-policy <disable(default)|enable>
end
Sample configuration
To allow RIP2 packets from port1 to port2 using the GUI:
- Go to Policy & Object > Multicast Policy.
- Click Create New.
- For Incoming Interface, select port1.
- For Outgoing Interface, select port2.
- For Source Address, select 10.0.10/32.
- For Destination Address, select RIPv2.
- Click OK.
To allow RIP2 packets from port1 to port2 using the CLI:
config firewall address edit “10.10.0.10/32” set subnet 10.10.0.10 255.255.255.255
next
end
config firewall multicast-address edit “RIPv2” set start-ip 224.0.0.9 set end-ip 224.0.0.9
next
end
config firewall multicast-policy edit 2 set srcintf “port1” set dstintf “port2” set srcaddr “10.10.0.10/32” set dstaddr “RIPv2”
next end
IPv4/IPv6 access control lists
Access control lists (ACL) in the FortiOS firmware is a granular or more specifically targeted blacklist. ACL drop IPv4 and IPv6 packets at the physical network interface before the packets are analyzed by the CPU. On a busy appliance, this can really improve performance.
ACL is available on FortiGates with NP6-accelerated interfaces. ACL checking is one of the first things that happens to the packet and checking is done by the NP6 processor. The result is very efficient protection that does not use CPU or memory resources.
The following platforms support ACL:
- FGT_100D, FGT_100E, FGT_100EF, FGT_101E. l FGT_140D, FGT_140D_POE, FGT_140E, FGT_140E_POE. l FGT_301E, FGT_500E, FGT_501E. l FGT_1200D, FGT_1500D, FGT_1500DT.
- FGT_2000E, FGT_2500E. l FGT_3000D, FGT_3100D, FGT_3200D, FGT_3700D. l FGT_3800D, FGT_3810D, FGT_3815D. l FGT_3960E, FGT_3980E.
Limitation
The configuration of ACL allows you to specify which interface the ACL is applied to. You should be aware of a hardware limitation. The ACL is a Layer 2 function and is offloaded to the ISF hardware. Therefore no CPU resources are used in the processing of the ACL. It is handled by the inside switch chip which can do hardware acceleration, which increases the performance of the FortiGate. The drawback is that the ACL function is only supported on switch fabric driven interfaces. It also cannot be applied to hardware switch interfaces or their members. Ports such as WAN1 or WAN2 on some models that use network cards that connect to the CPU through a PCIe bus do support ACL.
Sample configuration
To block all IPv4 and IPv6 Telnet traffic from port2 to Company_Servers using the CLI:
config firewall acl edit 1 set interface “port2” set srcaddr “all” set dstaddr “Company_Servers” set service “TELNET”
next
end
config firewall acl6 edit 1 set interface “port2” set srcaddr “all”
set dstaddr “Company_Servers_v6” set service “TELNET”
next end
Sample troubleshooting
To check the number of packets drop by an ACL:
# diag firewall acl counter ACL id 1 dropped 0 packets
To clear the packet drop counter:
# diag firewall acl clearcounter Use the same commands for IPv6 ACL.
# dia firewall acl
| counter | Show number of packets dropped by ACL. |
| counter6 | Show number of packets dropped by ACL6. |
| clearcounter | Clear ACL packet counter. |
| clearcounter6 | Clear ACL6 packet counter. |