IGMP Querier with Managed FortiSwitches

If you need to configure an IGMP querier on managed FortiSwitches, you find nothing in the documentation.

Once you know how it works, it is very simple. The interface of the FortiGate becomes the querier. Like everything more sophisticated on the FortiGate, you use the CLI to configure it.

First, you activate multicast routing on the one interface, where you need the querier. In this case the interface becomes automatically the querier. This solution is used, if you want to route multicast traffic.

config router multicast
    set multicast-routing enable
    config interface
        edit "v0009_av"
            set pim-mode sparse-mode
            set passive enable
            config igmp
                set access-group "v0009-mcast-router"

In our example, with “set passive enable“, the FortiGate does not send out any PIM information. The FortiGate only accepts and sends IGMP messages.

# get router info multicast igmp interface 
Interface v0009_av (Index 54)
 IGMP Enabled, Active, Querier, Configured for version 3
 Internet address is
 IGMP query interval is 125 seconds
 IGMP querier timeout is 255 seconds
 IGMP max query response time is 10 seconds
 Last member query response interval is 1000 milliseconds
 Group Membership interval is 260 seconds
 Router Alert options not required in IGMP packets

Once multicast routing is enabled, the FortiGate automatically registers all IGMP groups found.

# get router info multicast igmp groups 
IGMP Connected Group Membership
Group Address    Interface            Uptime   Expires          Last Reporter      v0009_av             02:00:08 00:03:27  v0009_av             02:00:08 00:03:27  v0009_av             02:00:08 00:03:27

There are cases, where you do not want to receive some multicast streams (or IGMP groups). Therefor you configure an “access-group”. This group is a router access list. It contains the addresses which are permitted or denied.

config router access-list
    edit "v0009-mcast-router"
        config rule
            edit 1
                set action deny
                set prefix

In our example we do not accept join requests for

Well, the IGMP querier is now configured.

Using IGMP querier means, that we also have to configure IGMP snooping. If a switch does IGMP snooping, in only forwards multicast traffic on interfaces, where a receiver registered for an IGMP group.

This is configured on the interface of the FortiGate

config system interface
    edit "v0009_av"
        set vdom "root"
        set ip
        set allowaccess ping
        set switch-controller-igmp-snooping enable
        set switch-controller-igmp-snooping-proxy enable
        set switch-controller-igmp-snooping-fast-leave enable
        set interface "fl"
        set vlanid 9

First, you turn on IGMP snooping, “Fast Leave” and if you have a switch configuration with MCLAG, you need to turn on IGMP proxy.

In the case of audio and video streaming you have to make sure, to accept only know multicast streams. This is configured with “Storm Control”

config switch-controller storm-control
    set rate 100
    set unknown-unicast enable
    set unknown-multicast enable
    set broadcast enable

A last important point. By default the FortiGate uses multicast forward. As a rule of thumb, either you use multicast forward or multicast router. For this reason we turn of multicast forward.

config system settings
    set multicast-forward disable

Use the following command, to see if you IGMP querier and IGMP snooping configuration works:

# diagnose switch-controller switch-info igmp-snooping group 



IGMP-SNOOPING mcast-groups:
Max Entries: 1022

Number of groups: 1

port		 VLAN	 GROUP				 Age-timeout	  IGMP-Version
_FlInK1_MLAG0_	 7   	 querier			 95		  --
port3         	 7 		 233		  IGMPv3

Here you see all active groups on their interfaces.