Internet Group Management Protocol (IGMP) is an IPv4 protocol that a multicast receiver uses to communicate with an interface on a Palo Alto Networks® firewall and that the firewall uses to track the membership of multicast groups. When a host wants to receive multicast traffic, its implementation of IGMP sends an IGMP Membership report message and the receiving router, in turn, sends a PIM Join message to the multicast group address of the group that the host wants to join. An IGMP-enabled router on the same physical network (such as an Ethernet segment) then uses PIM to communicate with other PIM-enabled routers to determine a path from the source to interested receivers.

Enable IGMP only on interfaces that face a multicast receiver. The receivers can be only one Layer 3 hop away from the virtual router. IGMP messages are Layer 2 messages that have a TTL value of one and, therefore, cannot go outside the LAN.

When you Configure IP Multicast, specify whether an interface uses IGMP Version 1, IGMP Version 2, or IGMP Version 3. You can enforce the IP Router Alert option, RFC 2113, so that incoming IGMP packets that use IGMPv2 or IGMPv3 have the IP Router Alert option.

By default, an interface accepts IGMP Membership reports for all multicast groups. You can configure multicast group permissions to control the groups for which the virtual router accepts Membership reports from any source (Any-Source Multicast, or ASM), which is basically PIM Sparse Mode (PIM-SM). You can also specify the groups for which the virtual router accepts Membership reports from a specific source (PIM Source-Specific Multicast [PIM-SSM]). If you specify permissions for either ASM or SSM groups, the virtual router denies Membership reports from other groups. The interface must use IGMPv3 to pass PIM-SSM traffic.

You can specify the maximum number of sources and the maximum number of multicast groups that IGMP can process simultaneously for an interface.

The virtual router multicasts an IGMP Query at regular intervals to all receivers of a multicast group. A receiver responds to an IGMP Query with an IGMP Membership report that confirms the receiver still wants to receive multicast traffic for that group. The virtual router maintains a table of the multicast groups that have receivers; the virtual router forwards a multicast packet out the interface to the next hop only if there is still a receiver down that multicast distribution tree that is joined to the group. The virtual router does not track exactly which receivers are joined to a group. Only one router on a subnet responds to IGMP Queries and that is the IGMP Querier—the router with the lowest IP address.

You can configure an interface with an IGMP Query interval and the amount of time allowed for a receiver to respond to a query (the Max Query Response Time). When a virtual router receives an IGMP Leave message from a receiver to leave a group, the virtual router checks that the interface that received the Leave message is not configured with the Immediate Leave option. In the absence of the Immediate Leave option, the virtual router sends a Query to determine whether there are still receiver members for the group. The Last Member Query Interval specifies how many seconds are allowed for any remaining receivers for that group to respond and confirm that they still want multicast traffic for that group.

An interface supports the IGMP robustness variable, which you can adjust so that the firewall then tunes the Group Membership Interval, Other Querier Present Interval, Startup Query Count, and Last Member Query Count. A higher robustness variable can accommodate a subnet that is likely to drop packets.

View IP Multicast Information to see IGMP-enabled interfaces, the IGMP version, Querier address, robustness setting, limits on the number of multicast groups and sources, and whether the interface is configured for Immediate Leave. You can also see the multicast groups to which interfaces belong and other IGMP membership information.