Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
IGMP
Configure IGMP for interfaces on a virtual router that
are facing receivers to enable receivers to join multicast groups
and to enable the virtual router to track group memberships and
communicate with PIM-enabled routers.
Internet Group Management Protocol (IGMP) is an IPv4
protocol that a multicast receiver uses to communicate with an interface
on a Palo Alto Networks® firewall and that the firewall uses to
track the membership of multicast groups. When a host wants to receive
multicast traffic, its implementation of IGMP sends an IGMP Membership
report message and the receiving router, in turn, sends a PIM Join
message to the multicast group address of the group that the host
wants to join. An IGMP-enabled router on the same physical network
(such as an Ethernet segment) then uses PIM to communicate with
other PIM-enabled routers to determine a path from the source to
interested receivers.
Enable IGMP only on interfaces that face a multicast receiver.
The receivers can be only one Layer 3 hop away from the virtual
router. IGMP messages are Layer 2 messages that have a TTL value
of one and, therefore, cannot go outside the LAN.
When you Configure
IP Multicast, specify whether an interface uses IGMP Version 1, IGMP Version 2, or IGMP Version 3. You can enforce the IP
Router Alert option, RFC 2113, so that incoming
IGMP packets that use IGMPv2 or IGMPv3 have the IP Router Alert
option.
By default, an interface accepts IGMP Membership reports for
all multicast groups. You can configure multicast group permissions
to control the groups for which the virtual router accepts Membership
reports from any source (Any-Source Multicast, or ASM), which is
basically PIM Sparse Mode (PIM-SM). You can also specify the groups
for which the virtual router accepts Membership reports from a specific
source (PIM Source-Specific Multicast [PIM-SSM]). If you specify
permissions for either ASM or SSM groups, the virtual router denies
Membership reports from other groups. The interface must use IGMPv3
to pass PIM-SSM traffic.
You can specify the maximum number of sources and the maximum
number of multicast groups that IGMP can process simultaneously
for an interface.
The virtual router multicasts an IGMP Query at regular intervals
to all receivers of a multicast group. A receiver responds to an
IGMP Query with an IGMP Membership report that confirms the receiver
still wants to receive multicast traffic for that group. The virtual
router maintains a table of the multicast groups that have receivers;
the virtual router forwards a multicast packet out the interface
to the next hop only if there is still a receiver down that multicast
distribution tree that is joined to the group. The virtual router
does not track exactly which receivers are joined to a group. Only
one router on a subnet responds to IGMP Queries and that is the
IGMP Querier—the router with the lowest IP address.
You can configure an interface with an IGMP Query interval and
the amount of time allowed for a receiver to respond to a query
(the Max Query Response Time). When a virtual router receives an
IGMP Leave message from a receiver to leave a group, the virtual
router checks that the interface that received the Leave message
is not configured with the Immediate Leave option. In the absence
of the Immediate Leave option, the virtual router sends a Query
to determine whether there are still receiver members for the group.
The Last Member Query Interval specifies how many seconds are allowed
for any remaining receivers for that group to respond and confirm that
they still want multicast traffic for that group.
An interface supports the IGMP robustness variable, which you
can adjust so that the firewall then tunes the Group Membership
Interval, Other Querier Present Interval, Startup Query Count, and
Last Member Query Count. A higher robustness variable can accommodate
a subnet that is likely to drop packets.
View
IP Multicast Information to see IGMP-enabled interfaces,
the IGMP version, Querier address, robustness setting, limits on
the number of multicast groups and sources, and whether the interface
is configured for Immediate Leave. You can also see the multicast
groups to which interfaces belong and other IGMP membership information.