Saucepan

User Tools

Site Tools

Trace: pan_configurator vmware_workstation multi_vsys gcp threat-logs oracle aws_transit_gateway multicast azure vpn
paloaltonetworks:configuration:multicast

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:multicast [2022/08/02 08:38] bstaffordpaloaltonetworks:configuration:multicast [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 7: Line 7:
   * 224.0.0.0/4 - Multicast IP Range   * 224.0.0.0/4 - Multicast IP Range
     * 224.0.0.0/24 - Link Local multicast     * 224.0.0.0/24 - Link Local multicast
 +      * 224.0.0.5 OSPF - to send information to all OSPF routers
 +      * 224.0.0.6 OSPF - to send information to DR/BDR routers. 
       * 224.0.0.13 PIMv2       * 224.0.0.13 PIMv2
       * 224.0.0.18 VRRP       * 224.0.0.18 VRRP
       * 224.0.0.22 IGMPv3       * 224.0.0.22 IGMPv3
 +      * 224.0.0.251 mDNS (udp5353)
     * 224.0.1.0/24 - Reserved for specific applications     * 224.0.1.0/24 - Reserved for specific applications
     * 232.0.0.0/8 - Source Specific Multicast (SSM)     * 232.0.0.0/8 - Source Specific Multicast (SSM)
     * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918     * 239.0.0.0/8 - Administratively Scoped, equivalent to RFC1918
 +The IPv4 multicast addresses used for OSPF are 
  
 When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation. When picking a multicast address for labbing, use range 239.0.0.0/8 as that is assigned by RFC 2365 for private use within an organisation.
Line 36: Line 39:
  
  
-''However''+**However**
  
 You can enforce Multicast traffic rules. You can enforce Multicast traffic rules.
Line 50: Line 53:
       * RP Interface - <VLAN Interface>       * RP Interface - <VLAN Interface>
       * RP Address - <IP of VLAN Interface>       * RP Address - <IP of VLAN Interface>
-      * Group List - IP of Multicast Group. You may have to list many Multicast Groups.+      * Group List - IP of Multicast Group. You should be able to put any multicast Ip here. So long as one is listed, the firewall will still capture all multicast traffic.
       * Interfaces Tab (without this config, there will be no logs)       * Interfaces Tab (without this config, there will be no logs)
         * Add a group         * Add a group
Line 56: Line 59:
   * Commit.   * Commit.
  
-Check that the multicast traffic is now appearing in the logs. If you want to block it, you can create a rule from the Layer3 zone to the multicast zone on that port and block the traffic.+Check that the multicast traffic is now appearing in the logs (**NOTE**: You will also see BROADCAST traffic for the subnet from the Layer3 zone to the Layer3 zone and broadcast IP). If you want to block it, you can create a rule from the Layer3 zone to the multicast zone on that port and block the traffic.
  
   * show routing multicast fib   * show routing multicast fib
paloaltonetworks/configuration/multicast.1659429490.txt.gz · Last modified: (external edit)