How to Block Multicast Traffic in a VWire (Virtual Wire) Setup
Multicast traffic is blocked in the Layer-3 mode by default, but is forwarded by default in the Virtual Wire mode.
To apply security policies for multicast:
- Enable multicast firewalling under the Virtual Wire configuration:
Multicast traffic transiting through the firewall can now be blocked, by either blocking the entire global multicast IP address range 126.96.36.199/4, or by blocking PIM and IGMP under the security rule.
Note: Before blocking multicast, consider routing protocols that use multicast (OSPF, RIP, VRRP for example). If they are in use on the network, they will be blocked as well.
- Blocking the entire Multicast address range
- Blocking the protocol PIM and IGMP, using application signatures
- This is how the rule would look to block multicast on Virtual Wire (click to enlarge):