Description
How to create multicast security policies to allow AirPlay communication between an iOS device and an Apple TV through a FortiGate unit.
Scope
FortiOS 5.0 and above
Solution
Procedure
Step 1 - Eanble Multicast options
Enable multicast forwarding from CLI using the following commands:
config system setting
set multicast-forward enable
set multicast-ttl-notchange enable
end
Step 2 - Configure Multicast policies:
config firewall multicast-policy
edit 1
set status enable
set logtraffic enable
set srcintf "AppleTV interface"
set dstintf "DMZ"
set srcaddr "all"
set dstaddr "all"
set snat disable
set dnat 0.0.0.0
set action accept
set protocol 17
set auto-asic-offload enable
set start-port 1
set end-port 5353
next
edit 2
set status enable
set logtraffic enable
set srcintf "DMZ"
set dstintf "AppleTV interface"
set srcaddr "all"
set dstaddr "all"
set snat disable
set dnat 0.0.0.0
set action accept
set protocol 17
set auto-asic-offload enable
set start-port 1
set end-port 5353
edit 3
set status enable
set logtraffic enable
set srcintf "AppleTV interface"
set dstintf "Wan to internet interface"
set srcaddr "all"
set dstaddr "all"
set snat enable
set snat-ip 0.0.0.0
set dnat 0.0.0.0
set action accept
set protocol 17
set auto-asic-offload enable
set start-port 1
set end-port 5353
end
Step 3 - Configure IPV4 policies
config firewall policy
edit 1
set status enable
set logtraffic enable
set srcintf "AppleTV interface"
set dstintf "DMZ"
set srcaddr "all"
set dstaddr "all"
set snat disable
set action accept
edit 2
set status enable
set logtraffic enable
set srcintf "DMZ"
set dstintf "AppleTV interface"
set srcaddr "all"
set dstaddr "all"
set snat disable
set action accept
edit 3
set status enable
set logtraffic enable
set srcintf "AppleTV interface"
set dstintf "Wan to internet interface"
set srcaddr "all"
set dstaddr "all"
set action accept
set snat enable
end
Diagnose commands to check traffic:
1.- Sniffer
# di sniffer packet any 'host <ip_appletv>' 6 0 a
To stop sniffer
Ctrl + C
2.- Flow
# di de disable
# di de reset
# diagnose debug flow filter saddr <ipappletv>
# di de flow sh console enable
# di de flow sh funtion-name enable
# di de flow sh iprope enable
# di de flow trace start 1000
# di de enable
Multicast traffic example:
id=20085 trace_id=58 func=print_pkt_detail line=4471 msg="vd-root received a packet(proto=17, 172.16.7.77:5353->224.0.0.251:5353) from FAP-4. "
id=20085 trace_id=58 func=init_ip_session_common line=4624 msg="allocate a new session-00321386"
id=20085 trace_id=58 func=iprope_dnat_check line=4641 msg="in-[FAP-4], out-[]"
id=20085 trace_id=58 func=iprope_dnat_check line=4654 msg="result: skb_flags-00800000, vid-0, ret-no-match, act-accept, flag-00000000"
id=20085 trace_id=58 func=__iprope_check line=2051 msg="gnum-10000a, check-ffffffffa009768b"
id=20085 trace_id=58 func=__iprope_check_one_policy line=1841 msg="checked gnum-10000a policy-0, ret-matched, act-accept"
id=20085 trace_id=58 func=__iprope_check_one_policy line=2022 msg="policy-0 is matched, act-drop
