Multicast forwarding is enabled by default. In NAT mode you must use the multicast-forward keyword of the system settings CLI command to enable or disable multicast forwarding. When multicast-forward is enabled, the FortiGate unit forwards any multicast IP packets in which the TTL is 2 or higher to all interfaces and VLAN interfaces except the receiving interface. The TTL in the IP header will be reduced by 1. Even though the multicast packets are forwarded to all interfaces, you must add security policies to actually allow multicast packets through the FortiGate. In our example, the security policy allows multicast packets received by the internal interface to exit to the external interface.

Enter the following CLI command to enable multicast forwarding:

If multicast forwarding is disabled and the FortiGate unit drops packets that have multicast source or destination addresses.

You can also use the multicast-ttl-notchange keyword of the system settings command so that the FortiGate unit does not increase the TTL value for forwarded multicast packets. You should use this option only if packets are expiring before reaching the multicast router.

In transparent mode, the FortiGate unit does not forward frames with multicast destination addresses. Multicast traffic such as the one used by routing protocols or streaming media may need to traverse the FortiGate unit, and should not be interfere with the communication. To avoid any issues during transmission, you can set up multicast security policies. These types of security policies can only be enabled using the CLI.

In this simple example, no check is performed on the source or destination interfaces. A multicast packet received on an interface is flooded unconditionally to all interfaces on the forwarding domain, except the incoming interface.

In this example, the multicast policy only applies to the source port of WAN1 and the destination port of Internal.

In this example, packets are allowed to flow from WAN1 to Internal, and sourced by the address 172.20.120.129. This address needs to be configured as an address objct. For simplicity we will assume that this address is represented by the address object "example-addr_A".

This example shows how to configure the multicast security policy required for the configuration shown. This policy accepts multicast packets that are sent from a PC with IP address 192.168.5.18, which will be represented by the address objct "example-addr_X", to destination address range 239.168.4.0, which will be represented by the address object "example-addr_Y". The policy allows the multicast packets to enter the internal interface and then exit the external interface. When the packets leave the external interface their source address is translated to 192.168.18.10.

This example shows how to configure a multicast security policy so that the FortiGate unit forwards multicast packets from a multicast Server with an IP 10.10.10.10, represented by address object "example-addr_C", is broadcasting to address 225.1.1.1, represented by address object "example-addr_D". This Server is on the network connected to the FortiGate DMZ interface.