DETERMINACIÓN Y EVALUACIÓN DEL COMPORTAMIENTO DEL PROCESO EFECTUADO ACTUALMENTE EN REACTORES DE 1500 Y

• Enabling multicast forwarding

This second step is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in transparent mode, adding a multicast policy enables multicast forwarding.

Adding multicast security policies

You need to add security policies to allow packets to pass from one interface to another. Multicast packets require multicast security policies. You add multicast security policies from the CLI using the config firewall multicast-policy command. As with unicast security policies, you specify the source and destination interfaces and optionally the allowed address ranges for the source and destination addresses of the packets.

Receiver_2 Receiver_1 Receiver_3 Receiver_4 Members of Multicast Group 239.168.4.0 FortiGate-800 internal IP: 192.168.5.1 external IP: 172.20.20.10 DMZ IP: 192.168.6.1

Sender on the Marketing network at IP address 192.168.5.18 multicasts to IP address 239.168.4.0

Multicast Forwarding Enabled

Source address: 192.168.5.18 Source interface: internal Destination address: 239.168.4.0 Destination interface: external NAT IP: 192.168.18.10 Marketing 192.168.5.0/24 Development 192.168.6.0/24 9

Configuring FortiGate multicast forwarding Multicast forwarding

You can also use multicast security policies to configure source NAT and destination NAT for multicast packets. For full details on the config firewall multicast-policy command, see the FortiGate CLI Reference.

Keep the following in mind when configuring multicast security policies:

• The matched forwarded (outgoing) IP multicast source IP address is changed to the configured IP address.

• Source and Destination interfaces are optional. If left blank, then the multicast will be forwarded to ALL interfaces.

• Source and Destination addresses are optional. If left un set, then it will mean ALL addresses.

• The nat keyword is optional. Use it when source address translation is needed.

Enabling multicast forwarding

Multicast forwarding is disabled by default. In NAT mode you must use the multicast- forward keyword of the system settings CLI command to enable multicast

forwarding. When multicast-forward is enabled, the FortiGate unit forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add security policies to actually allow multicast packets through the FortiGate. In our example, the security policy allows multicast packets received by the internal interface to exit to the external interface.

Enter the following CLI command to enable multicast forwarding: config system settings

set multicast-forward enable end

If multicast forwarding is disabled and the FortiGate unit drops packets that have multicast source or destination addresses.

You can also use the multicast-ttl-notchange keyword of the system settings command so that the FortiGate unit does not increase the TTL value for forwarded multicast packets. You should use this option only if packets are expiring before reaching the multicast router.

config system settings

set multicast-ttl-notchange enable end

In transparent mode, the FortiGate unit does not forward frames with multicast destination addresses. Multicast traffic such as the one used by routing protocols or streaming media may need to traverse the FortiGate unit, and should not be interfere with the communication. To avoid any issues during transmission, you can set up multicast security policies. These types of security policies can only be enabled using the CLI. Enabling multicast forwarding is only required if your FortiGate unit is operating in NAT mode. If your FortiGate unit is operating in transparent mode, adding a multicast policy enables multicast forwarding.

Multicast forwarding Configuring FortiGate multicast forwarding

In this simple example, no check is performed on the source or destination interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.

To enable the multicast policy

config firewall multicast-policy edit 1

set action accept end

In this example, the multicast policy only applies to the source port of WAN1 and the destination port of Internal.

To enable the restrictive multicast policy

config firewall multicast-policy edit 1

set srcintf wan1 set dstinf internal set action accept end

In this example, packets are allowed to flow from WAN1 to Internal, and sourced by the address 172.20.120.129.

To enable the restrictive multicast policy

config firewall multicast-policy edit 1

set srcintf wan1

set srcaddr 172.20.120.129 255.255.255.255 set dstinf internal

set action accept end

This example shows how to configure the multicast security policy required for the configuration shown in Figure 13 on page 177. This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18 to destination address range

239.168.4.0. The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface their source address is translated to 192.168.18.10

config firewall multicast-policy edit 5

set srcaddr 192.168.5.18 255.255.255.255 set srcintf internal

set destaddr 239.168.4.0 255.255.255.0 set dstintf external

set nat 192.168.18.10 end

The CLI parameter multicast-skip-policy must be disabled when using multicast security policies. To disable enter the command

config system settings

set multicast-skip-policy disable end