FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to configure access list on multicast traffic traversing via FortiGate.
Solution If there is no access-group configured for multicast traffic, all streams will be allowed to reach FortiGate. In order to allow specific networks to join multicast groups, an access-list is configured and applied to an inbound interface.
An access list has been configured which allows only two IP addresses.
# config router access-list edit "IGMP_allowed” # config rule edit 1 set prefix 224.1.1.1 255.255.255.255 next edit 2 set prefix 239.239.0.1 255.255.255.255 next edit 3 set prefix 0.0.0.0 0.0.0.0 set action deny end next end
There is no implicit deny at the end of an access list. In order to allow traffic for specific IP address/subnet, a default entry is created with the ‘deny’ action. The access list has to be applied to the specific interface.
# config router multicast set multicast-routing enable # config interface edit "port1" set pim-mode sparse-mode # config igmp set access-group "IGMP_allowed" end next end end
