Fortinet black logo

Handbook

Blocking IPv6 packets by extension headers

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:144409
Download PDF

Blocking IPv6 packets by extension headers

FortiOS can now block IPv6 packets based on the extension headers, using the CLI syntax:

config firewall ipv6-eh-filter.

The following commands are now available:

  • set hop-opt {disable | enable}: Block packets with Hop-by-Hop Options header.
  • set dest-opt {disable | enable}: Block packets with Destination Options header.
  • set hdopt-type <integer>: Block specific Hop-by-Hop and/or Destination Option types (maximum 7 types, each between 0 and 255).
  • set routing {disable | enable}: Block packets with Routing header.
  • set routing-type <integar>: Block specific Routing header types (maximum 7 types, each between 0 and 255).
  • set fragment {disable | enable}: Block packets with Fragment header.
  • set auth {disable | enable}: Block packets with Authentication header.
  • set no-next {disable | enable}: Block packets with No Next header.

Blocking IPv6 packets by extension headers

FortiOS can now block IPv6 packets based on the extension headers, using the CLI syntax:

config firewall ipv6-eh-filter.

The following commands are now available:

  • set hop-opt {disable | enable}: Block packets with Hop-by-Hop Options header.
  • set dest-opt {disable | enable}: Block packets with Destination Options header.
  • set hdopt-type <integer>: Block specific Hop-by-Hop and/or Destination Option types (maximum 7 types, each between 0 and 255).
  • set routing {disable | enable}: Block packets with Routing header.
  • set routing-type <integar>: Block specific Routing header types (maximum 7 types, each between 0 and 255).
  • set fragment {disable | enable}: Block packets with Fragment header.
  • set auth {disable | enable}: Block packets with Authentication header.
  • set no-next {disable | enable}: Block packets with No Next header.