Use the following configuration as a guide to allow Chromast on Fortigate Firewalls
1) Ensure IGMP snooping is not enabled on the interfaces
2) NAT should not be enabled between the interfaces
3) Allow unknown applications in the cast application control policy and allow RTCP traffic from media to internal to fix Apple AirPlay screen mirroring
config system settings
set gui-multicast-policy enable
set multicast-forward enable
set multicast-ttl-notchange enable
end
config firewall multicast-address
# Included by default
edit "Bonjour"
set start-ip 224.0.0.251
set end-ip 224.0.0.251
next
edit "SSDP"
set start-ip 239.255.255.250
set end-ip 239.255.255.250
next
end
# The custom services are not required. They are just a data point that's nice to have for logging.
config firewall service custom
edit "SSDP"
set category "Network Services"
set udp-portrange 1900
next
edit "mDNS"
set category "Network Services"
set udp-portrange 5353
next
end
config firewall multicast-policy
edit 0
set name "Media discovery"
set comments "Keep SNAT disabled."
set logtraffic enable
set srcintf "internal"
set dstintf "media"
set srcaddr "all"
set dstaddr "Bonjour" "SSDP"
next
edit 0
set uuid 502d9688-909c-51ee-adea-422560d43601
set name "Media discovery response"
set comments "Required for Apple devices to see AirPlay devices. Keep SNAT disabled."
set logtraffic enable
set srcintf "media"
set dstintf "internal"
set srcaddr "all"
set dstaddr "Bonjour" "SSDP"
next
end
config application list
edit "cast-airplay"
set comment "Protocols used by Google cast and Apple AirPlay"
set other-application-log enable
set unknown-application-log enable
config entries
edit 1
set application 15895 16939 31605 32165 15893 36968 11767
set action pass
next
edit 2
set category 2 3 5 6 7 8 12 15 17 21 22 23 25 26 28 29 30 31 32
next
end
next
edit "media-response"
set comment "Allow UPnP responses back for device discovery. Allowing RTCP connections back is required for Apple AirPlay screen mirroring to work."
set other-application-log enable
set unknown-application-action block
set unknown-application-log enable
config entries
edit 1
set application 16083 16939
set action pass
next
edit 2
set category 2 3 5 6 7 8 12 15 17 21 22 23 25 26 28 29 30 31 32
next
end
next
end
config firewall policy
edit 0
set name "casting to media"
set srcintf "internal"
set dstintf "media"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "default"
set application-list "cast-airplay"
set logtraffic all
set comments "Allow casting, AirPlay, and Roku remote traffic to media devices. Keeping NAT disabled is required for AirPlay to work."
next
edit 0
set name "media response"
set uuid cce3d83a-785b-51ee-ef19-82bdb7da91c9
set srcintf "media"
set dstintf "internal"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set utm-status enable
set ssl-ssh-profile "certificate-inspection"
set ips-sensor "default"
set application-list "media-response"
set logtraffic all
set nat enable
set comments "Allow UPnP responses back for device discovery. Allowing RTCP connections back and keeping NAT disabled are requirements for Apple AirPlay screen mirroring to work."
next
end