Saucepan

User Tools

Site Tools

Trace: multicast aws globalprotect_versions firewall_resources firewall-hardware oracle disk_space zone_protection
paloaltonetworks:configuration:multicast

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:multicast [2022/08/01 15:36] bstaffordpaloaltonetworks:configuration:multicast [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 7: Line 7:
   * 224.0.0.0/4 - Multicast IP Range   * 224.0.0.0/4 - Multicast IP Range
     * 224.0.0.0/24 - Link Local multicast     * 224.0.0.0/24 - Link Local multicast
 +      * 224.0.0.5 OSPF - to send information to all OSPF routers
 +      * 224.0.0.6 OSPF - to send information to DR/BDR routers. 
       * 224.0.0.13 PIMv2       * 224.0.0.13 PIMv2
       * 224.0.0.18 VRRP       * 224.0.0.18 VRRP
       * 224.0.0.22 IGMPv3       * 224.0.0.22 IGMPv3
 +      * 224.0.0.251 mDNS (udp5353)
     * 224.0.1.0/24 - Reserved for specific applications     * 224.0.1.0/24 - Reserved for specific applications
     * 232.0.0.0/8 - Source Specific Multicast (SSM)     * 232.0.0.0/8 - Source Specific Multicast (SSM)
     * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918     * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918
 +The IPv4 multicast addresses used for OSPF are 
  
 When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation. When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation.
Line 36: Line 39:
  
  
-''However''+**However**
  
 You can enforce Multicast traffic rules. You can enforce Multicast traffic rules.
Line 45: Line 48:
   * Create a security policy that allows the Layer3 security zone to the "multicast" zone (drop down list in destination zone in security policy rule).   * Create a security policy that allows the Layer3 security zone to the "multicast" zone (drop down list in destination zone in security policy rule).
   * On the new virtual router in the Multicast settings configure   * On the new virtual router in the Multicast settings configure
-    * Rendezvous Point Tab+    * Rendezvous Point Tab (without this config, there will be no logs)
       * Enable - True       * Enable - True
       * RP Type - Static       * RP Type - Static
       * RP Interface - <VLAN Interface>       * RP Interface - <VLAN Interface>
       * RP Address - <IP of VLAN Interface>       * RP Address - <IP of VLAN Interface>
-      * Group List - IP of Multicast Group. You may have to list many Multicast Groups+      * Group List - IP of Multicast Group. You should be able to put any multicast Ip here. So long as one is listed, the firewall will still capture all multicast traffic
-      * Interfaces Tab+      * Interfaces Tab (without this config, there will be no logs)
         * Add a group         * Add a group
           * Add the Vlan Interface. You do not need to add Group Permissions and you can disabled IGMP and PIM           * Add the Vlan Interface. You do not need to add Group Permissions and you can disabled IGMP and PIM
   * Commit.   * Commit.
  
-Check that the multicast traffic is now appearing in the logs. If you want to block it, you can create a rule from the Layer3 zone to the multicast zone on that port and block the traffic.+Check that the multicast traffic is now appearing in the logs (**NOTE**: You will also see BROADCAST traffic for the subnet from the Layer3 zone to the Layer3 zone and broadcast IP). If you want to block it, you can create a rule from the Layer3 zone to the multicast zone on that port and block the traffic.
  
   * show routing multicast fib   * show routing multicast fib
paloaltonetworks/configuration/multicast.1659368211.txt.gz · Last modified: (external edit)