Multicast forwarding and FortiGate units

Leave a reply

To configure the FortiGate-800 unit

 

1. Configure the internal and external interfaces.

Internal

Go to System > Network > Interfaces. Select the internal interface.

Verify the following settings:

Type:                                          Physical Interface

Addressing mode:                    Manual

IP/Network Mask:                      10.31.138.253 255.255.255.0

Administrative Access:            PING

Select OK.

External

Go to System > Network > Interfaces. Select the external interface.

Verify the following settings:

 

Type: Physical Interface
Addressing mode: Manual
IP/Network Mask: 10.31.130.253 255.255.255.0
Administrative Access: HTTPS and PING
 

 

 

2.

  

Select OK.

 

Add a firewall addresses.

 

Go to Policy & Objects> Objects > Addresses.

RP

Select Create New.

Use the following settings:

Category:                                   Address

Name:                                         RP

Type:                                          Subnet

Subnet/IP Range:                      169.254.100.1/32

Interface:                                    Any

Visibility:                                    <enabled>

Select OK.

Multicast source subnet

Select Create New.

Use the following settings:

Category:                                   Address

Name:                                         multicast_source_subnet

Type:                                          Subnet

Subnet/IP Range:                      169.254.82.0/24

Interface:                                    Any

Visibility:                                    <enabled>

Select OK.

3. Add destination multicast address

Go to Policy & Objects> Objects > Addresses.

Select Create New.

Use the following settings:

Category:                                   Multicast Address

Name:                                         Multicast_stream

Type:                                          Broadcast Subnet

Broadcast Subnet:                    233.254.200.0/24

Interface:                                    Any

Visibility:                                    <enabled>

Select OK.

4. Add standard security policies to allow traffic to reach the RP.

 

Go to Policy & Objects > Policy > IPv4.

1st policy

Select Create New

Use the following settings:

Incoming Interface:                  internal

Source Address:                       all

Outgoing Interface:                  external

Destination Address:               RP

Schedule:                                   always

Service:                                      ALL

Action:                                        ACCEPT Select OK.

2nd policy

Select Create New

Use the following settings:

Incoming Interface:                  external

Source Address:                       RP

Outgoing Interface:                  internal

Destination Address:               all

Schedule:                                   always

Service:                                      ALL

Action:                                        ACCEPT

Select OK.

5. Add the multicast security policy.

Go to Policy & Objects > Policy > Multicast. Select Create New.

Use the following settings:

Incoming Interface:                  external

Source Address:                       multicast_source_subnet

Outgoing Interface:                  internal

Destination Address:               multicast_stream

Protocol:                                    Any

Action:                                        ACCEPT

Select OK.

6. Add an access list. (CLI only)

config router access-list edit Source-RP

config rule edit 1

set prefix 233.254.200.0 255.255.255.0 set exact-match disable

next end

7. Add some static routes.

 

Go to Router > Static > Static Routes.

 

 

 

l  Route 1

 

Select Create New.
Use the following settings:
Destination IP/Mask: 0.0.0.0/0.0.0.0
Device: internal
Gateway: 10.31.130.250
Distance: <default>
Priority: <default>
 

Select OK.
l  Route 2

 

Select Create New.
Use the following settings:
Destination IP/Mask: 169.254.0.0/16
Device: external
Gateway: 10.31.138.250
Distance: <default>
Priority: <default>
 

Select OK.
8. Configure multicast routing.

 

Go to Router > Dynamic > Multicast.

Add the following Static Rendezvous Point(s):

  • 169.254.100.1

Route 1

Select Create New.

Use the following settings:

Interface:                                    internal

PIM Mode:                                  Sparse Mode

DR Priority:                                <not needed in this scenario>

RP Candidate:                           <not needed in this scenario>

RP Candidate Priority:             <not needed in this scenario>

Select OK.

Route 2

Select Create New.

Use the following settings:

Interface:                                    external

PIM Mode:                                  Sparse Mode

DR Priority:

RP Candidate:

RP Candidate Priority:

Select OK.

Pages: 1 2 3 4 5
This entry was posted in Fortinet GURU, FortiOS 5.4 Handbook on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.