How to Enable PIM-SIM in

IPSO

6 August 2014

Classification: [Protected]
© 2014 Check Point Software Technologies Ltd.
All rights reserved. This product and related documentation are protected by copyright and distributed under
licensing restricting their use, copying, distribution, and decompilation. No part of this product or related
documentation may be reproduced in any form or by any means without prior written authorization of Check
Point. While every precaution has been taken in the preparation of this book, Check Point assumes no
responsibility for errors or omissions. This publication and features described herein are subject to change
without notice.
RESTRICTED RIGHTS LEGEND:
Use, duplication, or disclosure by the government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 and FAR
52.227-19.
TRADEMARKS:
Refer to the Copyright page (http://www.checkpoint.com/copyright.html) for a list of our trademarks.
Refer to the Third Party copyright notices (http://www.checkpoint.com/3rd_party_copyright.html) for a list of
relevant copyrights and third-party licenses.

P. 2
How to Enable PIM-SM (Sparse Mode)
in IPSO
Objective
This document outlines the setup and verification of PIM Sparse Mode on IPSO 6.2 with Check Point Security
Gateway.

Details
Supported Versions
 Check Point Security Gateway R70 and up

Supported OS
 IPSO 6.2 (all builds)

Supported Appliances
 All IP Series Appliances

Before You Start

Related Documentation and Assumed
Knowledge
 How to stage a very simple IP Multicast PIM-SSM lab (sk38824)
 Please explain why my IP Appliance will not route Multicast Packets? (sk38790)
 How to allow Dynamic Routing protocols traffic (OSPF, BGP, PIM, RIP, IGRP) through Check Point
Security Gateway (sk39960)

Warnings and Environmental Impact

 As this was configured and tested in a lab environment with no production traffic, we cannot
comment on an impact to the overall system utilization.

P. 3
Enabling PIM-SM
To configure IPSO and enable PIM on the relevant interfaces:
1. Connect to Voyager of the appliance and log in.
2. Navigate to Routing in the System tree.
3. Click PIM.
4. Click the Sparse button.
5. Click Enable for the relevant interfaces that participate in PIM-SM. For this document, we use eth2
(192.168.0.0/24) and eth3 (192.168.130.0/24).
6. Click Save on the bottom to commit the configuration.
7. Click Enable for both Bootstrap candidate and Candidate RP. In the Local Address textbox, enter the
IP address of either local interface participating in PIM-SM. For this document, we use 192.168.0.254,
the local interface of eth2.
8. Click Save on the bottom to commit the configuration.
9. Log off Voyager.

P. 4
P. 5
To create required objects for the Security Policy:
1. Log in to Smart Dashboard.
2. Create host objects for the Multicast Sender (multicast_sender) and the Multicast Receiver
(multicast_receiver). These machines send and receive the multicast traffic.
3. Create a host object for the PIM multicast address (224.0.0.13) (i.e.: PIM.MCAST.NET).
4. Create a network object to represent the multicast group that is used by the Multicast Sender:
224.0.0.0/4 (i.e. multicast_network).

P. 6
P. 7
 To create rules for the Security Policy:
The security policy requires 2 fundamental rules for PIM-SM to pass the Security Gateway:

Rule Objective SOURCE DESTINATION SERVICE

Allow PIM traffic from Security Gateway PIM.MCAST.NET pim, igmp
Security Gateway
Allow multicast traffic multicast_sender, multicast_network any
multicast_receiver

Completing the Procedure

To finish the Security Gateway configuration, install the policy.

P. 8
Verifying the Policy
To verify that PIM-SM works, we use VLC (www.videolan.org) to stream a video file using PIM-SM.

These assumptions are made:

 multicast_sender is a PC running Windows or Linux.

 multicast_receiver is a PC running Windows or Linux.
 VLC is installed (at the time of this writing, the current version of VLC is 2.0.6 on Windows and 2.0.5
on Linux).
 A video or audio file is available to stream (preferably video).

P. 9
To use VLC to stream a video file:
1. From the Media menu, choose Stream.
2. Click the Add button and browse to your video (or audio file). Click Open to return to the Open Media
window.
3. Click Stream at the bottom of the window.
4. Click Next.
5. Next to New destination, change the dropdown to RTP/MPEG Transport Stream and click Add.
6. In the Address text box, enter 224.1.2.3. This is the multicast group we stream to.
7. Disable Activate Transcoding and click Next.
8. Change TTL to 30 and click Stream.

P. 10
P. 11
To use VLC to connect to a network stream:
1. From the Media menu, select Open Network Stream.
2. In the text box, enter the rtp://224.1.2.3:5004. This is the multicast group that the multicast_sender
streams.
3. Click Play.
4. You now see the video stream, or hear the audio stream.

P. 12