Saucepan

User Tools

Site Tools

Trace: vpn disk_space firewall-hardware multicast credential_phishing_prevention aws aws_transit_gateway ssh sfp oracle
paloaltonetworks:configuration:multicast

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:multicast [2020/11/19 22:15] bstaffordpaloaltonetworks:configuration:multicast [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Multicast ====== ====== Multicast ======
 +
 +[[https://blog.golle.org/posts/Multicast/IGMP|Info on Multicast]]
 +
 +
 +
 +  * 224.0.0.0/4 - Multicast IP Range
 +    * 224.0.0.0/24 - Link Local multicast
 +      * 224.0.0.5 OSPF - to send information to all OSPF routers
 +      * 224.0.0.6 OSPF - to send information to DR/BDR routers. 
 +      * 224.0.0.13 PIMv2
 +      * 224.0.0.18 VRRP
 +      * 224.0.0.22 IGMPv3
 +      * 224.0.0.251 mDNS (udp5353)
 +    * 224.0.1.0/24 - Reserved for specific applications
 +    * 232.0.0.0/8 - Source Specific Multicast (SSM)
 +    * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918
 +The IPv4 multicast addresses used for OSPF are 
  
 When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation. When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation.
 +
  
 A good multicast testing tool is [[http://www.dqnetworks.ie/toolsinfo/mcasttest/|here]]. A good multicast testing tool is [[http://www.dqnetworks.ie/toolsinfo/mcasttest/|here]].
  
 +===== VWire =====
 +Multicast traffic will only be visible in the traffic logs if you tick "Multicast Firewalling" on the Virtual Wire options. The source and destination zones are the vwire source and destination zone. (i.e. it doesn't use the 'multicast' zone). If you don't tick "Multicast Firewalling", multicast traffic will still flow through the Vwire but there will be no logs.
 +===== VLAN Insertion =====
 +This is where VLAN interfaces are used to insert the firewall into a single subnet where we can't change the endpoint IP addresses but we can cause the traffic to flow through the firewalls.
 +  * Multicast does work through VLAN insertion. 
 +  * The Multicast traffic (while passing through the firewall) does not generate any traffic logs.
 +  * I did a packet capture. There are four stages to PCAP on Palo
 +    * drop stage is where packets get discarded. The reasons may vary and, for this part, the global counters may help identify if the drop was due to a policy deny, a detected threat, or something else.
 +    * receive stage captures the packets as they ingress the firewall before they go into the firewall engine. When NAT is configured, these packets will be pre-NAT.
 +    * transmit stage captures packets how they egress out of the firewall engine. If NAT is configured, these will be post-NAT.
 +    * firewall stage captures packets in the firewall stage.
 +  * I noticed that I didn’t get anything in the ‘firewall’ filter but I did get captures in drop, receive and transmit.
 +  * I saw that I got four packets in receive, four in drop and twelve in transmit.
 +  * In my lab I had four interfaces in the VLAN insertion. My assumption is that the twelve transmit packets were the four packets received being forwarded on from the receiving interface to the other three interfaces.
 +
 +
 +**However**
 +
 +You can enforce Multicast traffic rules.
 +  * Select a free IP address on the subnet being segmented.
 +  * Create a blank virtual router.
 +  * Create a Layer3 security zone.
 +  * Create a VLAN Interface (Network > Interfaces > VLAN). Set the VLAN to be the same VLAN that the Layer2 interfaces are assigned to. Set the Virtual Router you just created. Select the layer 3 security zone you created.
 +  * Create a security policy that allows the Layer3 security zone to the "multicast" zone (drop down list in destination zone in security policy rule).
 +  * On the new virtual router in the Multicast settings configure
 +    * Rendezvous Point Tab (without this config, there will be no logs)
 +      * Enable - True
 +      * RP Type - Static
 +      * RP Interface - <VLAN Interface>
 +      * RP Address - <IP of VLAN Interface>
 +      * Group List - IP of Multicast Group. You should be able to put any multicast Ip here. So long as one is listed, the firewall will still capture all multicast traffic.
 +      * Interfaces Tab (without this config, there will be no logs)
 +        * Add a group
 +          * Add the Vlan Interface. You do not need to add Group Permissions and you can disabled IGMP and PIM
 +  * Commit.
 +
 +Check that the multicast traffic is now appearing in the logs (**NOTE**: You will also see BROADCAST traffic for the subnet from the Layer3 zone to the Layer3 zone and broadcast IP). If you want to block it, you can create a rule from the Layer3 zone to the multicast zone on that port and block the traffic.
 +
 +  * show routing multicast fib
 +  * show routing multicast route source 234.5.6.7
 +  * show routing multicast igmp membership interface vlan.11
 +  * show routing multicast route virtual-router vr1
 +===== Lab =====
  
-This page covers getting multicast working between a VLC streamer and a VLC player that are on seperate Layer-3 VLANs connected to a Palo Alto Networks firewall.+This page covers getting multicast working between a VLC streamer and a VLC player that are on separate Layer-3 VLANs connected to a Palo Alto Networks firewall.
  
 The server is a Windows desktop that have VLC 3.0.11 installed and is streaming an MP4 video file over multicast. The server is a Windows desktop that have VLC 3.0.11 installed and is streaming an MP4 video file over multicast.
Line 36: Line 97:
   - Ensure "Activate Transcoding" is ticket, set profile to something (e.g. Video - H.264 + MP3 (MP4) and hten click Next.   - Ensure "Activate Transcoding" is ticket, set profile to something (e.g. Video - H.264 + MP3 (MP4) and hten click Next.
   - Untick "Stream all elementary streams".   - Untick "Stream all elementary streams".
-  - **THIS IS VERY IMPORTANT**You will need to update the "Generated stream output" string. YOu will need to find the rtp section (e.g. rtp{dst=239.1.2.3,port=5004,mux=ts,sap,name=mystream}) and then add ',ttl=3' (e.g. rtp{dst=237.0.0.1,port=5004,mux=ts,sap,name=mystream,ttl=3}). The reason for this is that VLC sets TTL to 1 by default. This prevents the packets from existing the subnet they are broadcast in.+  - **THIS IS VERY IMPORTANT**You will need to update the "Generated stream output" string. YOu will need to find the rtp section (e.g. rtp{dst=239.1.2.3,port=5004,mux=ts,sap,name=mystream}) and then add ',ttl=3' (e.g. rtp{dst=237.0.0.1,port=5004,mux=ts,sap,name=mystream,ttl=3}). The reason for this is that VLC sets TTL to 1 by default. This prevents the packets from exiting the subnet they are broadcast in.
 Click Stream. Click Stream.
  
paloaltonetworks/configuration/multicast.1605824132.txt.gz · Last modified: (external edit)