Multicast Access Control

Multicast IP transmits one copy of each datagram (IP packet) to a multicast address, where each recipient in the group takes their copy. The routers in the network forward the datagrams only to routers and hosts with access to receive the multicast packets.

  1. Open a Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. object.

  2. On the Network Management page, select an interface and click Edit.

  3. On Interface > Advanced, click Drop Multicast packets by the following conditions.

  4. Select a multicast policy for the interface:

    • Drop multicast packets whose destination is in the list

    • Drop all multicast packets except those whose destination is in the list

    When access is denied to a multicast group on an interface for outbound IGMP packets, inbound packets are also denied.

    If you do not define access restrictions for multicast packets, multicast datagrams to one interface of the Security Gateway are allowed out of all other interfaces.

  5. Click Add.

    The Add Object window opens, with the Multicast Address Ranges object selected.

  6. Click New > Multicast Address Range.

    The Multicast Address Range Properties window opens.

  7. Enter a name for this range.

  8. Define an IP address Range or a Single IP Address in the range: 224.0.0.0 - 239.255.255.255.

    Class D IP addresses are reserved for multicast traffic and are allocated dynamically. The multicast address range 224.0.0.0 - 239.255.255.255 is used only for the destination address of IP multicast traffic.

    Every IP datagram whose destination address starts with 1110 is an IP multicast datagram. The remaining 28 bits of the multicast address range identify the group to which the datagram is sent.

    The 224.0.0.0 - 224.0.0.255 range is reserved for LAN applications that are never forwarded by a router. These addresses are permanent host groups. For example: an ICMP request to 224.0.0.1 is answered by all multicast capable hosts on the network, 224.0.0.2 is answered by all routers with multicast interfaces, and 224.0.0.13 is answered by all PIM routers. To learn more, see http://www.iana.org/assignments/multicast-addresses.

    The source address for multicast datagrams is always the unicast source address.

  9. Click OK.

  10. In the Add Object window, Click OK.

  11. In the Interface Properties window, Click OK.

  12. In the Security Gateway window, Click OK.

  13. In the Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase., add a ruleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. that allows the multicast address range as the Destination.

  14. In the Services of the rule, add the multicast protocols.

    • Multicast routing protocols - For example: Protocol-Independent Multicast (PIM), Distance Vector Multicast Routing Protocol (DVMRP), and Multicast Extensions to OSPF (MOSPF).

    • Dynamic registration -Hosts use the Internet Group Management Protocol (IGMP) to let the nearest multicast router know they want to belong to a specified multicast group. Hosts can leave or join the group at any time.

  15. Install the policy.