Firewall Settings > Multicast

IP multicasting is a method for sending one Internet Protocol (IP) packet simultaneously to multiple hosts. Multicast is suited to the rapidly growing segment of Internet traffic - multimedia presentations and video conferencing. For example, a single host transmitting an audio or video stream and ten hosts that want to receive this stream. In multicasting, the sending host transmits a single IP packet with a specific multicast address, and the 10 hosts simply need to be configured to listen for packets targeted to that address to receive the transmission. Multicasting is a point-to-multipoint IP communication mechanism that operates in a connectionless mode - hosts receive multicast transmissions by “tuning in” to them, a process similar to tuning in to a radio.

The Firewall Settings > Multicast page allows you to manage multicast traffic on the firewall.

Topics:

•	Multicast Snooping

•	Multicast Policies

•	IGMP State Table

•	Enabling Multicast on LAN-Dedicated Interfaces

•	Enabling Multicast Through a VPN

Multicast Snooping

This section provides configuration tasks for Multicast Snooping.

•	Enable Multicast - This checkbox is disabled by default. Select this checkbox to support multicast traffic.

•	Require IGMP Membership reports for multicast data forwarding - This checkbox is enabled by default. Select this checkbox to improve performance by regulating multicast data to be forwarded to only interfaces joined into a multicast group address using IGMP.

•	Multicast state table entry timeout (minutes) - This field has a default of 5. The value range for this field is 5 to 60 (minutes). Update the default timer value of 5 in the following conditions:

•	You suspect membership queries or reports are being lost on the network.

•	You want to reduce the IGMP traffic on the network and currently have a large number of multicast groups or clients. This is a condition where you do not have a router to route traffic.

•	You want to synchronize the timing with an IGMP router.

Multicast Policies

This section provides configuration tasks for Multicast Policies.

•	Enable reception of all multicast addresses - This radio button is not enabled by default. Select this radio button to receive all (class D) multicast addresses. Receiving all multicast addresses may cause your network to experience performance degradation.

•	Enable reception for the following multicast addresses - This radio button is enabled by default. In the drop-down menu, select Create a new multicast object or Create new multicast group.

NOTE: Only address objects and groups associated with the MULTICAST zone are available to select. Only addresses from 224.0.0.1 to 239.255.255.255 can be bound to the MULTICAST zone.

To create a multicast address object, perform the following steps:

1	In the Enable reception for the following multicast addresses list, select Create new multicast object.

2	In the Add Address Object window, configure:

•	Name: The name of the address object.

•	Zone Assignment: Select MULTICAST.

•	Type: Select Host, Range, Network, or MAC.

•	IP Address: If you selected Host or Network, the IP address of the host or network. The IP address must be in the range for multicast, 224.0.0.0 to 239.255.255.255.

•	Netmask: If you selected Network, the netmask for the network.

•	Starting IP Address and Ending IP Address: If you selected Range, the starting and ending IP address for the address range. The IP addresses must be in the range for multicast, 224.0.0.1 to 239.255.255.255.

IGMP State Table

This section provides descriptions of the fields in the IGMP State table.

•	Multicast Group Address—Provides the multicast group address the interface is joined to.

•	Interface / VPN Tunnel—Provides the interface (such as LAN) for the VPN policy.

•	IGMP Version—Provides the IGMP version (such as V2 or V3).

•	Flush and Flush All buttons—To flush a specific entry immediately, check the box to the left of the entry and click Flush. Click Flush All to immediately flush all entries.

Enabling Multicast on LAN-Dedicated Interfaces

To enable multicast support on the LAN-dedicated interfaces of your firewall:

1	Go to the Firewall Settings > Multicast page.

2	Under Multicast Snooping, select Enable Multicast.

3	Under Multicast Policy, select Enable the reception of all multicast addresses.

4	Go to the Network > Interfaces page.

5	Click the Configure button for the LAN interface you want to configure.

6	In the Edit Interface dialog, under the Advanced tab, select Enable Multicast Support.

To enable multicast support for address objects over a VPN tunnel:

1	Go to the Firewall Settings > Multicast page.

2	Under Multicast Snooping, select Enable Multicast.

3	Under Multicast Policy, select Enable the reception for the following multicast addresses.

4	From the drop-down menu, select Create new multicast address object....

The Add Address Object dialog appears.

5	In the Name box, enter a name for your multicast address object.

6	From the Zone Assignment menu, select a zone: LAN, WAN, DMZ, VPN, SSLVPN, MGMT, MULTICAST, or WLAN.

7	From the Type menu, select Host, Range, Network, MAC, or FQDN.

•	If you select Host, in the IP Address box, enter an IP address.

•	If you select Range, enter the Starting IP Address and the Ending IP Address.

•	If you select Network, enter the Network IP address and a Netmask.

•	If you select MAC, enter the MAC Address.

8	Go to the VPN > Settings page.

9	Under VPN Policies, click the Configure button for the Group VPN policy you want to configure.

10	In the VPN Policy dialog, under the Advanced tab, select Enable Multicast.

Enabling Multicast Through a VPN

To enable multicast across the WAN through a VPN, follow:

1	Enable multicast globally. On the Firewall Settings > Multicast page, check the Enable Multicast checkbox, and click the Apply button for each security appliance.

2	Enable multicast support on each individual interface that will be participating in the multicast network. On the Network > Interfaces page for each interface on all security appliances participating, go to the Edit Interface: Advanced tab, and select the Enable Multicast Support checkbox.

3	Enable multicast on the VPN policies between the security appliances. From the VPN > Settings page, Advanced tab for each policy, select the Enable Multicast checkbox.

NOTE: The default WLAN'MULTICAST access rule for IGMP traffic is set to DENY. This will need to be changed to ALLOW on all participating appliances to enable multicast if they have multicast clients on their WLAN zones.

4

Verify the tunnels are active between the sites, and start the multicast server application and client applications. As multicast data is sent from the multicast server to the multicast group (224.0.0.0 through 239.255.255.255), the firewall will query its IGMP state table for that group to determine where to deliver that data. Similarly, when the appliance receives that data at the VPN zone, it will query its IGMP State Table to determine where it should deliver the data.

The IGMP State Tables (upon updating) should provide information indicating that there is a multicast client on the X3 interface, and across the vpnMcastServer tunnel for the 224.15.16.17 group.

NOTE: By selecting Enable reception of all multicast addresses, you might see entries other than those you are expecting to see when viewing your IGMP State Tabled. These are caused by other multicast applications that might be running on your hosts.