Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    Home FortiADC 6.2.1 Handbook
    6.2.1
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.1
    6.0.0
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.6
    5.3.5
    5.3.4
    5.3.3
    5.3.2
    5.3.1
    5.3.0
    5.2.7

    Configuring an IPv6 firewall policy

    Configuring an IPv6 firewall policy

    A firewall policy is a filter that allows or denies traffic based on a matching tuple: source address, destination address, and service. By default, firewall policy rules are stateful: if client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed.

    The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table, beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy rule, it is dropped. If the session is accepted, system processing continues.

    By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as if the system were a router, and traffic is forwarded according to routing and other system rules.

    Note: You do not need to create firewall rules for routine management traffic associated with the management port or HA ports. The interface “allow access” option enables permitted protocols. The system automatically permits from-self traffic, such as health check traffic, and expected responses.

    Before you begin:

    • You must have a good understanding and knowledge of firewalls.
    • You must have created the address configuration objects and service configuration objects that define the matching tuple in your firewall policy rules.
    • You must have Read-Write permission for Firewall settings.
    To configure a firewall:
    1. Go to Network Security > Firewall > IPv6 Firewall Policy.
    2. Click Create New to display the configuration editor.
    3. Complete the configuration as described in Firewall policy configuration.
    4. Save the configuration.
    5. Reorder rules, as necessary.

    Firewall policy configuration
    Settings Guidelines

    Default Action

    Action when no rule matches or no rules are configured:

    • Deny—Drop the traffic.
    • Accept—Allow the traffic to pass the firewall.

    Rule

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    Ingress Interface

    Select the interface that receives traffic.

    Egress Interface

    Select an outgoing interface from the drop-down list if your FortiADC is configured for link load-balancing and/or traffic routing. In both cases, the system will use this interface to forward traffic to its destination.

    Note: You MUST leave this option blank (default) if your FortiADC is configured for server load-balancing and/or global load-balancing. Otherwise, server load-balancing and/or global load-balancing packets may not match the firewall policy rule.

    Source

    Select a source address object or address group to use to form the matching tuple.

    Destination

    Select a destination address object or address group to use to form the matching tuple.

    Service

    Select a service object to use to form the matching tuple.

    Action
    • Deny—Drop the traffic.
    • Accept—Allow the traffic to pass the firewall.

    Status

    Enabled by default.

    Note: This button simplifies the implementation of firewall policy/NAT rules, allowing you to turn a policy rule ON or OFF with a click of the button. When a firewall policy rule is disabled, it will be removed from the relevant IP tables, and will be added to the IP table when the rule is enabled.

    Reordering

    Reorder

    After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.
    Previous
    Next

    Configuring an IPv6 firewall policy

    Configuring an IPv6 firewall policy

    A firewall policy is a filter that allows or denies traffic based on a matching tuple: source address, destination address, and service. By default, firewall policy rules are stateful: if client-to-server traffic is allowed, the session is maintained in a state table, and the response traffic is allowed.

    The FortiADC system evaluates firewall policies before other rules. It matches traffic against the firewall policy table, beginning with the first rule. If a rule matches, the specified action is taken. If the session is denied by a firewall policy rule, it is dropped. If the session is accepted, system processing continues.

    By default, if firewall rules are not configured, the system does not perform firewall processing; all traffic is processed as if the system were a router, and traffic is forwarded according to routing and other system rules.

    Note: You do not need to create firewall rules for routine management traffic associated with the management port or HA ports. The interface “allow access” option enables permitted protocols. The system automatically permits from-self traffic, such as health check traffic, and expected responses.

    Before you begin:

    • You must have a good understanding and knowledge of firewalls.
    • You must have created the address configuration objects and service configuration objects that define the matching tuple in your firewall policy rules.
    • You must have Read-Write permission for Firewall settings.
    To configure a firewall:
    1. Go to Network Security > Firewall > IPv6 Firewall Policy.
    2. Click Create New to display the configuration editor.
    3. Complete the configuration as described in Firewall policy configuration.
    4. Save the configuration.
    5. Reorder rules, as necessary.

    Firewall policy configuration
    Settings Guidelines

    Default Action

    Action when no rule matches or no rules are configured:

    • Deny—Drop the traffic.
    • Accept—Allow the traffic to pass the firewall.

    Rule

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    Ingress Interface

    Select the interface that receives traffic.

    Egress Interface

    Select an outgoing interface from the drop-down list if your FortiADC is configured for link load-balancing and/or traffic routing. In both cases, the system will use this interface to forward traffic to its destination.

    Note: You MUST leave this option blank (default) if your FortiADC is configured for server load-balancing and/or global load-balancing. Otherwise, server load-balancing and/or global load-balancing packets may not match the firewall policy rule.

    Source

    Select a source address object or address group to use to form the matching tuple.

    Destination

    Select a destination address object or address group to use to form the matching tuple.

    Service

    Select a service object to use to form the matching tuple.

    Action
    • Deny—Drop the traffic.
    • Accept—Allow the traffic to pass the firewall.

    Status

    Enabled by default.

    Note: This button simplifies the implementation of firewall policy/NAT rules, allowing you to turn a policy rule ON or OFF with a click of the button. When a firewall policy rule is disabled, it will be removed from the relevant IP tables, and will be added to the IP table when the rule is enabled.

    Reordering

    Reorder

    After you have saved a rule, reorder rules as necessary. The rules table is consulted from top to bottom. The first rule that matches is applied and subsequent rules are not evaluated.
    Previous
    Next