Interface - Multicast Restrictions

What can I do here?

Use this window to define multicast access restrictions for the interface. These restrictions specify multicast groups (addresses or address ranges) to allow or block.

Getting Here - Gateways & Servers > Select gateway > Edit > Network Management > Click the Expand button > Select an interface > Edit > Advanced

Per Interface Multicast Restrictions

A multicast enabled router forwards multicast datagrams from one interface to another. When multicast is enabled on a Security Gateway, you can define multicast access restrictions on each interface. These restrictions specify multicast groups (addresses or address ranges) to allow or block.

The enforcement is performed on outgoing multicast datagrams. Anti-spoofing makes sure that the source IP address of the packets entering an interface with multicast datagrams is performed on the multicast group address.

Gateway with per-interface multicast restrictions

When no restrictions for multicast datagrams are defined, multicast datagrams entering the gateway on one interface are allowed out of all others.

As well as defining a per-interface restrictions, a rule must also be defined in the Firewall Rule Base that allows multicast traffic and required services. The Destination of this rule must allow the required multicast groups.

VPN connections

Multicast traffic can be encrypted and sent across VPN links that are defined using multiple VPN tunnel interfaces (virtual interfaces associated with the same physical interface).

Multicast Restriction Options

• Drop multicast packets whose destination is in the list specifies that outgoing packets from this interface to the listed multicast destinations will be dropped.
• Drop all multicast packets except those whose destination is in the list specifies that outgoing packets from this interface to all multicast destinations except those listed will be dropped.
• Tracking lets you select a method for tracking dropped multicast packets.

Interface Names

This section shows the name of the interface in SmartConsole and the name the interface uses on the Gaia Operating system.

Synchronization

When Sync or Cluster + Sync is selected as the Network Type on the General page, select the sync order here.

Note - 2nd and 3rd Sync in no longer supported in R77.20 and higher.

Sync

• 1st, 2nd, 3rd Sync - A cluster synchronization interface. You must define one or more synchronization interfaces for redundancy.

  1st Sync means that is the primary sync network.

  2nd Sync or 3rd Sync means it is a backup synchronization network. Failover occurs to the 2nd or 3rd sync network if the higher priority network fails.

• If you are using more than one synchronization interface, define which interface is the primary, secondary, or tertiary interface.
• Synchronization redundancy is not supported on Small Business Appliances. On these appliances, you can only select 1st sync and only for the LAN2/SYNC interface.
• You cannot configure VLANs on the synchronization interface.
• It is recommended that secure and dedicated networks are used for synchronization.
• For High Availability mode, synchronization is recommended. Otherwise, existing connections on a failed cluster member will be closed when cluster failover occurs.

Cluster + Sync

• 1st, 2nd, 3rd Sync - Cluster interface that is also a synchronization interface.
• This option is less secure and is not recommended. This option in not supported for Small Business appliances.
• It is possible, though less secure (and therefore not recommended), to use a network which contains an internal cluster interface to serve as a synchronization network.
• This is option not supported for Small Business Appliances.

Monitoring

When Private is selected as the Network Type on the General page, you can monitor or not monitor the interface.

• Monitored Interface - An interface that is not part of the cluster, but ClusterXL monitors the member state and failover occurs if a fault is detected
• Non-Monitored - An interface that is not part of the cluster. ClusterXL does not monitor the member state and there is no failover. This option is recommended for the management interface