Hot!Block or Disable IGMP

Author
mrasker42
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2021/09/23 05:05:56
  • Status: offline
2021/09/23 05:23:59 (permalink)
0

Block or Disable IGMP

I have a customer who wants us to block or disable IGMP in their FortiGate 60E that is located on an internal and closed network. I have not worked with Fortinet/Fortigate before, so I please be patient. 
 
So I have Googled to find a solution and read up on ways to do this, but have so far not found a clear cut way to do it. Maybe someone here have already tried this and found a solution?
 
I have also come up with a few possible ways forward, but the lack of a lab and my inexperience with Fortinet/FortGate makes me a bit hesitant to try it "Live".
 
Below is my preferred alternative
config firewall multicast-policy
edit
set status enable
set logtraffic disable
set srcintf "all"
set dstintf "all"
set srcaddr "all"
set dstaddr "all"
set snat disable
set action deny
set protocol 2
set start-port 0
set end-port 0
set auto-asic-offload disable
next
end

 
But maybe this is a better way to do it?
config router multicast
     multicast-routing disable
end

 
Thank you in advance for any assistance. I do appreciate it
 
#1

3 Replies Related Threads

    Benoit_Rech_FTNT
    Bronze Member
    • Total Posts : 60
    • Scores: 11
    • Reward points: 0
    • Joined: 2013/06/04 02:38:46
    • Location: Sophia Antipolis (France)
    • Status: offline
    Re: Block or Disable IGMP 2021/09/27 05:54:30 (permalink)
    0
    Hello,
    By default, IGMP has a TTL of 1, which means it will not be routed by the Fortigate. Moreover, IGMP is not enabled by default on the Fortigate, you have to enable it on each interface which should participate to multicast.
    For me, there is nothing special to configure on the Fortigate to achieve what is requested.


    If you want to prevent that the Fortigate answered to requests send to the Fortigate, then the best is to use local-in-policy.
    You can follow this example about how to configure local-in policies.
    https://kb.fortinet.com/kb/microsites/search.do?cmd=displayKC&docType=kc&externalId=FD48899

    Best regards,
    Benoit
    #2
    mrasker42
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2021/09/23 05:05:56
    • Status: offline
    Re: Block or Disable IGMP 2021/09/27 13:50:37 (permalink)
    0
    HI,
     
    Thank you for your answer. 
     
    The thing is that my customer have recently started to have another company collect trace information and they are the ones that claim that they get IGMP from the network that is below this/my 60E. Their network is not only upstream from this 60E, it si in fact even upstream from yet another FortiGate. So there are actually two FortiGates between "my" network and "their" network. I have also read that FortiGates by default route IGMP, so I am guessing this is regardless of the number of hops
     
    We have most probably located the Host that is the source of the IGMP traffic, but have yet to figure out what on that Host that is the culprit. If we can figure out what is using IGMP on that Host, I guessing we do not have to Block the entire protocol. But until we have figured that out, I still would like to pursue how to block IGMP in FortiGates.
     
    Thank you also for the link. I have seen that page and maybe it is just my lack of understanding of the FortGate, but I fail to understand how I using the information on this page can block an entire Protocol. Maybe you or someone else can be of any assistance?
     
    Do you or anyone else have any comments on either of my previously mentioned ways of blocking IGMP?
    #3
    Benoit_Rech_FTNT
    Bronze Member
    • Total Posts : 60
    • Scores: 11
    • Reward points: 0
    • Joined: 2013/06/04 02:38:46
    • Location: Sophia Antipolis (France)
    • Status: offline
    Re: Block or Disable IGMP 2021/09/28 00:44:21 (permalink)
    0
    Hello,
    Create IGMP "service":
    config firewall service custom
    edit "IGMP"
    set protocol IP
    set comment "IGMP"
    set protocol-number 2
    next
    end
    and then the local policy
    config firewall local-in-policy
    edit 0
    set intf "dmz"
    set srcaddr "all"
    set dstaddr "all"
    set service "IGMP"
    set schedule "always"
    next
    end
    [font="verdana; font-size: 14px"]Hope this help
    Benoit
    #4
    Jump to:
    © 2021 APG vNext Commercial Version 5.5