Tag Archives: fortigate multicast

Chapter 10 – FortiView

Chapter 10 – FortiView

 

FortiView

  • Overview on page 1149 outlines the role FortiView plays in FortiOS and its overall layout. This section also identifies which FortiGate platforms support the full FortiView features.
  • FortiView consoles on page 1160 describes the various FortiView consoles available in FortiOS, including example scenarios, in most cases.
  • Reference on page 1172 explains reference information for the various consoles in FortiView, and describes the assortment of filtering options, drilldown options, and columns available.
  • Troubleshooting FortiView on page 1183 offers solutions to common technical issues experienced by FortiGate users regarding FortiView.

 

Whats new in FortiOS 5.4

 

New Consoles

In FortiOS 5.4, a variety of new consoles have been added to FortiView:

 

FortiView Policies console

The new Policies console works similarly to other FortiView consoles, yet allows administrators to monitor policy activity, and thereby decide which policies are most and least active. This helps the administer to discern which policies are unused and can be deleted.

In addition, you have the ability to click on any policy in the table to drill down to the Policies list and view or edit that policy. You can view this new console in either Table or Bubble Chart view.

 

FortiView Interfaces console

The new Interfaces console works similarly to other FortiView consoles and allows administrators to perform current and historical monitoring per interface, with the ability to monitor bandwidth in particular. You can view this new console in either Table or Bubble Chart view.

 

FortiView Countries console

A new Countries console has been introduced to allow administrators to filter traffic according to source and destination countries. This console includes the option to view the Country Map visualization (see below).

 

FortiView Device Topology console

The new Device Topology console provides an overview of your network structure in the form of a Network Segmentation Tree diagram (see below).

 

FortiView Traffic Shaping console

A new Traffic Shaping console has been introduced to improve monitoring of existing Traffic Shapers. Information displayed includes Shaper info, Sessions, Bandwidth, Dropped Bytes, and more.

 

FortiView Threat Map console

A new Threat Map console has been introduced to monitor risks coming from various international locations arriving at a specific location, depicted by the location of a FortiGate on the map (see below).

 

FortiView Failed Authentication console

A Failed Authentication console has been added under FortiView that allows you to drill down an entry to view the logs. This new console is particularly useful in determining whether or not the FortiGate is under a brute force attack. If an administrator sees multiple failed login attempts from the same IP, they could (for example) add a local-in policy to block that IP.

 

The console provides a list of unauthorized connection events in the log, including the following:

  • unauthorized access to an admin interface (telnet, ssh, http, https, etc.) l  failure to query for SNMP (v3) or outside of authorized range (v1, v2, v3) l  failed attempts to establish any of the following:
  • Dial-up IPsec VPN connections
  • Site-to-site IPsec VPN connections
  • SSL VPN connections
  • FGFM tunnel

Example PIM configuration that uses BSR to find the RP

Example PIM configuration that uses BSR to find the RP

This example shows how to configure a multicast routing network for a network consisting of four FortiGate-500A units (FortiGate-500A_1 to FortiGate-550A_4). A multicast sender is connected to FortiGate-500A_2. FortiGate-500A_2 forwards multicast packets in two directions to reach Receiver 1 and Receiver 2.
The configuration uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source). This example describes:

  • Commands used in this example
  • Configuration steps
  • Example debug commands

 

PIM network topology using BSR to find the RP

Commands used in this example

 

This example uses CLI commands for the following configuration settings:

  • Adding a loopback interface (lo0)
  • Defining the multicast routing
  • Adding the NAT multicast policy

 

Adding a loopback interface (lo0)

Where required, the following command is used to define a loopback interface named lo0.

config system interface edit lo0

set vdom root

set ip 1.4.50.4 255.255.255.255

set allowaccess ping https ssh snmp http telnet set type loopback

next end

 

Defining the multicast routing

In this example, the following command syntax is used to define multicast routing.

The example uses a Boot Start Router (BSR) to find the Rendezvous Points (RPs) instead of using static RPs. Under interface configuration, the loopback interface lo0 must join the 236.1.1.1 group (source).

config router multicast config interface

edit port6

set pim-mode sparse-mode next

edit port1

set pim-mode sparse-mode next

edit lo0

set pim-mode sparse-mode set rp-candidate enable

config join-group edit 236.1.1.1 next

end

set rp-candidate-priority 1 next

end

set multicast-routing enable config pim-sm-global

set bsr-allow-quick-refresh enable set bsr-candidate enable

set bsr-interface lo0 set bsr-priority 200

end end

Example multicast destination NAT (DNAT) configuration

Example multicast destination NAT (DNAT) configuration

The example topology shown and described below shows how to configure destination NAT (DNAT) for two multicast streams. Both of these streams originate from the same source IP address, which is 10.166.0.11. The example configuration keeps the streams separate by creating 2 multicast NAT policies. In this example the FortiGate units have the following roles:

  • FGT-1 is the RP for dirty networks, 233.0.0.0/8.
  • FGT-2 performs all firewall and DNAT translations.
  • FGT-3 is the RP for the clean networks, 239.254.0.0/16.
  • FGT-1 and FGT-3 are functioning as PM enabled routers and could be replaced can be any PIM enabled router. This example only describes the configuration of FGT-2. FGT-2 performs NAT so that the receivers connected to FGT-3 receive the following translated multicast streams.
  • If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 233.2.2.1; FGT-3 translates the source and destination IPs to 192.168.20.1 and 239.254.1.1
  • If the multicast source sends multicast packets with a source and destination IP of 10.166.0.11 and 233.3.3.1; FGT-3 translates the source and destination IPs to 192.168.20.10 and 239.254.3.1

 

Example multicast DNAT topology

 

To configure FGT-2 for DNAT multicast

1. Add a loopback interface. In the example, the loopback interface is named loopback.

config system interface edit loopback

set vdom root

set ip 192.168.20.1 255.255.255.0 set type loopback

next end

2. Add PIM and add a unicast routing protocol to the loopback interface as if it was a normal routed interface. Also add static joins to the loopback interface for any groups to be translated.

config router multicast config interface

edit loopback

set pim-mode sparse-mode config join-group

edit 233.2.2.1 next

edit 233.3.3.1 next

end

next

3. In this example, to add firewall multicast policies, different source IP addresses are required so you must first add an IP pool:

config firewall ippool edit Multicast_source

set endip 192.168.20.20 set interface port6

set startip 192.168.20.10 next

end

4. Add the translation security policies.

 

Policy 2, which is the source NAT policy, uses the actual IP address of port6. Policy 1, the DNAT policy, uses an address from the IP pool. The source and destination addresses will need to be previously created address objects. For this example, 233.3.3.1 255.255.255.255 will be represented by “example-addr_1” and 10.166.0.11

255.255.255.255 will be represented by “example-addr_2”. You will likely want to use something more intuitive from your own network.

config firewall multicast-policy edit 1

set dnat 239.254.3.1

set dstaddr example-addr_1 set dstintf loopback

set nat 192.168.20.10

set srcaddr example-addr_2 set srcintf port6

next edit 2

set dnat 239.254.1.1

set dstaddr 233.2.2.1 255.255.255.255 set dstintf loopback

set nat 192.168.20.1

set srcaddr 10.166.0.11 255.255.255.255 set srcintf port6

next end

5. Add a firewall multicast policy to forward the stream from the loopback interface to the physical outbound interface.

This example is an any/any policy that makes sure traffic accepted by the other multicast policies can exit the

FortiGate unit.

config firewall multicast-policy edit 3

set dstintf port7

set srcintf loopback next

end

FortiGate PIM-SM debugging examples

FortiGate PIM-SM debugging examples

Using the example topology shown below, you can trace the multicast streams and states within the three FortiGate units (FGT-1, FGT-2, and FGT-3) using the debug commands described in this section. The command output in this section is taken from FortiGate unit when the multicast stream is flowing correctly from source to receiver.

 

PIMSM debugging topology

Checking that the receiver has joined the required group

From the last hop router, FGT-3, you can use the following command to check that the receiver has correctly joined the required group.

FGT-3 # get router info multicast igmp groups

IGMP Connected Group Membership

Group Address Interface Uptime Expires Last Reporter

239.255.255.1 port3 00:31:15 00:04:02 10.167.0.62

Only 1 receiver is displayed for a particular group, this is the device that responded to the IGMP query request from the FGT-3. If a receiver is active the expire time should drop to approximately 2 minutes before being refreshed.

 

Checking the PIM-SM neighbors

Next the PIM-SM neighbors should be checked. A PIM router becomes a neighbor when the PIM router receives a

PIM hello. Use the following command to display the PIM-SM neighbors of FGT-3.

FGT-3 # get router info multicast pim sparse-mode neighbour

Neighbor Interface Uptime/Expires Ver DR Address Priority/Mode

10.132.0.156 port2 01:57:12/00:01:33 v2 1 /

 

Checking that the PIM router can reach the RP

The rendezvous point (RP) must be reachable for the PIM router (FGT-3) to be able to send the *,G join to request the stream. This can be checked for FGT-3 using the following command:

FGT-3 # get router info multicast pim sparse-mode rp-mapping

PIM Group-to-RP Mappings Group(s): 224.0.0.0/4, Static RP: 192.168.1.1

Uptime: 07:23:00

 

Viewing the multicast routing table (FGT-3)

The FGT-3 unicast routing table can be used to determine the path taken to reach the RP at 192.168.1.1. You can then check the stream state entries using the following commands:

FGT-3 # get router info multicast pim sparse-mode table

IP Multicast Routing Table

(*,*,RP) Entries: 0 (*,G) Entries: 1 (S,G) Entries: 1 (S,G,rpt) Entries: 1

FCR Entries: 0