Firewall Settings > Multicast

IP multicasting is a method for sending one Internet Protocol (IP) packet simultaneously to multiple hosts. Multicast is suited to the rapidly growing segment of Internet traffic - multimedia presentations and video conferencing. For example, a single host transmitting an audio or video stream and ten hosts that want to receive this stream. In multicasting, the sending host transmits a single IP packet with a specific multicast address, and the 10 hosts simply need to be configured to listen for packets targeted to that address to receive the transmission. Multicasting is a point-to-multipoint IP communication mechanism that operates in a connectionless mode - hosts receive multicast transmissions by “tuning in” to them, a process similar to tuning in to a radio.

The Firewall Settings > Multicast page allows you to manage multicast traffic on the firewall.

Topics:
Multicast Snooping
Multicast Policies
IGMP State Table
Enabling Multicast on LAN-Dedicated Interfaces
Enabling Multicast Through a VPN

Multicast Snooping

This section provides configuration tasks for Multicast Snooping.
Enable Multicast - This checkbox is disabled by default. Select this checkbox to support multicast traffic.
Require IGMP Membership reports for multicast data forwarding - This checkbox is enabled by default. Select this checkbox to improve performance by regulating multicast data to be forwarded to only interfaces joined into a multicast group address using IGMP.
Multicast state table entry timeout (minutes) - This field has a default of 5. The value range for this field is 5 to 60 (minutes). Update the default timer value of 5 in the following conditions:
You suspect membership queries or reports are being lost on the network.
You want to reduce the IGMP traffic on the network and currently have a large number of multicast groups or clients. This is a condition where you do not have a router to route traffic.
You want to synchronize the timing with an IGMP router.

Multicast Policies

This section provides configuration tasks for Multicast Policies.
Enable reception of all multicast addresses - This radio button is not enabled by default. Select this radio button to receive all (class D) multicast addresses.
* 
NOTE: Receiving all multicast addresses may cause your network to experience performance degradation.
Enable reception for the following multicast addresses - This radio button is enabled by default. In the drop-down menu, select Create a new multicast object or Create new multicast group.
* 
NOTE: Only address objects and groups associated with the MULTICAST zone are available to select. Only addresses from 224.0.0.1 to 239.255.255.255 can be bound to the MULTICAST zone.
* 
NOTE: You can specify up to 200 total multicast addresses.
To create a multicast address object, perform the following steps:
1
In the Enable reception for the following multicast addresses drop-down menu, select Create new multicast object. The Add Address Object dialog displays.

2
Configure the name of the address object in the Name field.
3
From the Zone Assignment drop-down menu, select MULTICAST.
4
From the Type drop-down menu, select Host, Range, Network, or MAC.
5
Depending on you Type selection, the options on the dialog change. If you selected:
Host or Network, the IP Address field displays. Enter the IP address of the host or network. The IP address must be in the range for multicast: 224.0.0.0 to 239.255.255.255.
Network, the Netmask field displays. Enter the netmask for the network.
Range, the Starting IP Address and Ending IP Address fields display. Enter the starting and ending IP address for the address range. The IP addresses must be in the range for multicast: 224.0.0.1 to 239.255.255.255.
6
Click OK.

IGMP State Table

This section provides descriptions of the fields in the IGMP State Table.
Multicast Group Address—Provides the multicast group address the interface is joined to.
Interface / VPN Tunnel—Provides the interface (such as LAN) for the VPN policy.
IGMP Version—Provides the IGMP version (such as V2 or V3).
Time Remaining
Flush — Provides an icon to flush that particular entry.
Flush and Flush All buttons—To flush a specific entry immediately, check the box to the left of the entry and click Flush. Click Flush All to immediately flush all entries.

Enabling Multicast on LAN-Dedicated Interfaces

To enable multicast support on the LAN-dedicated interfaces of your firewall:
1
Go to the Firewall Settings > Multicast page.
2
Under Multicast Snooping, select Enable Multicast.
3
Under Multicast Policy, select Enable the reception of all multicast addresses.
4
Click Accept.
5
Go to the Network > Interfaces page.
6
Click the Configure button for the LAN interface you want to configure. The Edit Interface dialog displays.
7
Click the Advanced tab.
8
Select Enable Multicast Support.
9
Click OK.
To enable multicast support for address objects over a VPN tunnel:
1
Go to the Firewall Settings > Multicast page.
2
Under Multicast Snooping, select Enable Multicast.
3
Under Multicast Policy, select Enable the reception for the following multicast addresses.
4
From the drop-down menu, select Create new multicast address object. The Add Address Object dialog appears.

5
In the Name field, enter a name for your multicast address object.
6
From the Zone Assignment drop-down menu, select a zone: LAN, WAN, DMZ, VPN, SSLVPN, MGMT, MULTICAST, or WLAN.
7
When you select a type from the Type drop-down menu, the other options change, depending on the selection. If you select:
Host, enter an IP address in the IP Address field.
Range, enter the starting and ending IP addresses in the Starting IP Address and the Ending IP Address.
Network, enter the network IP address in the Netmask field and a netmask or prefix length in the Netmask/Prefix Length field.
MAC, enter the MAC address in the MAC Address field and select the Multi-homed host checkbox (which is selected by default).
FQDN, enter the FQDN hostname in the FQDN Hostname field.
8
Click OK.
9
Go to the VPN > Settings page.
10
In the VPN Policies table, click the Configure icon for the Group VPN policy you want to configure. The VPN Policy dialog displays.
11
Click the Advanced tab.
12
In the Advanced Settings section, select Enable Multicast.
13
Click OK.

Enabling Multicast Through a VPN

To enable multicast across the WAN through a VPN, follow:
1
Enable multicast globally:
a
Navigate to the Firewall Settings > Multicast page.
b
Check the Enable Multicast checkbox.
c
Click the Accept button.
d
Repeat Step a through Step c for each interface on all participating security appliances.
2
Enable multicast support on each individual interface that will be participating in the multicast network.
a
Navigate to the Network > Interfaces page
b
Click the Edit icon of the participating interface. The Edit Interface dialog displays.
c
Click the Advanced tab.

d
Select the Enable Multicast Support checkbox.
e
Click OK.
f
Repeat Step a through Step e for each participating interface on all participating appliances.
3
Enable multicast on the VPN policies between the security appliances.
a
Navigate to the VPN > Settings page.
b
Click the Edit icon of a policy that includes multicasting. The VPN Policy dialog displays.
c
Click the Advanced tab.

d
In the Advanced Settings section, select Enable Multicast.
e
Click OK.
4
Verify the tunnels are active between the sites.
5
Start the multicast server application and client applications. As multicast data is sent from the multicast server to the multicast group (224.0.0.0 through 239.255.255.255), the firewall queries its IGMP state table for that group to determine where to deliver that data. Similarly, when the appliance receives that data at the VPN zone, the appliance queries its IGMP State Table to determine where it should deliver the data.

The IGMP State Tables (upon updating) should provide information indicating that there is a multicast client on the X3 interface, and across the vpnMcastServer tunnel for the 224.15.16.17 group.

* 
NOTE: By selecting Enable reception of all multicast addresses, you might see entries other than those you are expecting to see when viewing your IGMP State Table. These are caused by other multicast applications that might be running on your hosts.