Re-broadcasting, also known as broadcast forwarding, allows the firewall to transmit broadcast traffic between different network segments. In this post, we’ll guide you through the process of enabling re-broadcast on a Fortinet firewall. Also a quick example of Checkpoint Clish to achieve the same result.
Scenario Diagram and Requirement
- GPS station 192.168.4.4 is sending UDP traffic to a broadcast IP address 192.168.7.255, so all machines within 192.168.7.0/24 can see the traffic, it can be a UDP packet with a non-standard port number.
- The UDP packet needs to travel over the core switch then the Fortinet firewall
- Fortinet FW then re-broadcasts the packet so the server and clients within the VLAN 192.168.7.0/24 subnet can receive it
- Assume routing is working normally between 192.168.4.0/24 and 192.168.7.0/24.
Solution Step 1
Enable broadcast forwarding on the ingress interface ONLY, NO need to do anythong on the egress interface.
config system interface
edit "port1"
set ip 192.168.5.2 255.255.255.0
set broadcast-forward enable
next
edit "port4"
set ip 192.168.7.1 255.255.255.0
next
endSolution Step 2
Then create a standard IPv4 unicast firewall policy to allow the traffic from 192.168.4.4 to 192.168.7.255
Similar Funcitonlity on Checkpoint Firewall
Under Checkpoint Clish, type the comand below and save the config
set iphelper forward-nonlocal on
set iphelper interface bond0 udp-port 50000 relay-to 192.168.7.255 on