Fortinet black logo

Handbook

IPv6

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:627352
Download PDF

IPv6

Internet Protocol version 6 (IPv6) will succeed IPv4 as the standard networking protocol of the Internet. IPv6 provides a number of advances over IPv4 but the primary reason for its replacing IPv4 is its limitation in addresses. IPv4 uses 32 bit addresses which means there is a theoretical limit of 2 to the power of 32. The IPv6 address scheme is based on a 128 bit address or a theoretical limit of 2 to the power of 128.

In order to configure IPv6 features using the GUI, IPv6 must be enabled using Feature Select. Go to System > Config > Features, enable IPv6, and click Apply.

IPv6 in FortiOS

From an administrative point of view IPv6 works almost the same as IPv4 in FortiOS. The primary differences are the use of IPv6 format for addresses and fewer address types for IPv6. There is also no need for NAT if the FortiGate firewall is the interface between IPv6 networks. If the subnets attached to the FortiGate firewall are IPv6 and IPv4 NAT can be configured between the 2 different formats. This will involve either configuring a dual stack routing or IPv4 tunneling configuration. The reason for this is simple. NAT was developed primarily for the purpose of extending the number of usable IPv4 addresses. IPv6’s addressing allows for enough available addresses so the NAT is no longer necessary.

When configuring IPv6 in FortiOS, you can create a dual stack route or IPv4-IPv6 tunnel. A dual stack routing configuration implements dual IP layers, supporting both IPv4 and IPv6, in both hosts and routers. An IPv4-IPv6 tunnel is essentially similar, creating a tunnel that encapsulates IPv6 packets within IPv4 headers that carry these IPv6 packets over IPv4 tunnels. The FortiGate unit can also be easily integrated into an IPv6 network. Connecting the FortiGate unit to an IPv6 network is exactly the same as connecting it to an IPv4 network, the only difference is that you are using IPv6 addresses.

By default the IPv6 settings are not displayed in the GUI. It is just a matter of enabling the display of these feature to use them through the web interface. To enable them just go to System > Feature Select and select IPv6. Once enabled, you will be able to use IPv6 addresses as well as the IPv4 addressing for the following FortiGate firewall features:

  • Static routing
  • Policy Routing
  • Packet and network sniffing
  • Dynamic routing (RIPv6, BGP4+, and OSPFv3)
  • IPsec VPN
  • DNS
  • DHCP
  • SSL VPN
  • Network interface addressing
  • Security Profiles protection
  • Routing access lists and prefix lists
  • NAT and transparent mode
  • NAT 64 and NAT 66
  • IPv6 tunnel over IPv4 and IPv4 tunnel over IPv6
  • Logging and reporting
  • Security policies
  • SNMP
  • Authentication
  • Virtual IPs and groups
  • IPv6 over SCTP
  • IPv6-specific troubleshooting, such as ping6

IPv6

Internet Protocol version 6 (IPv6) will succeed IPv4 as the standard networking protocol of the Internet. IPv6 provides a number of advances over IPv4 but the primary reason for its replacing IPv4 is its limitation in addresses. IPv4 uses 32 bit addresses which means there is a theoretical limit of 2 to the power of 32. The IPv6 address scheme is based on a 128 bit address or a theoretical limit of 2 to the power of 128.

In order to configure IPv6 features using the GUI, IPv6 must be enabled using Feature Select. Go to System > Config > Features, enable IPv6, and click Apply.

IPv6 in FortiOS

From an administrative point of view IPv6 works almost the same as IPv4 in FortiOS. The primary differences are the use of IPv6 format for addresses and fewer address types for IPv6. There is also no need for NAT if the FortiGate firewall is the interface between IPv6 networks. If the subnets attached to the FortiGate firewall are IPv6 and IPv4 NAT can be configured between the 2 different formats. This will involve either configuring a dual stack routing or IPv4 tunneling configuration. The reason for this is simple. NAT was developed primarily for the purpose of extending the number of usable IPv4 addresses. IPv6’s addressing allows for enough available addresses so the NAT is no longer necessary.

When configuring IPv6 in FortiOS, you can create a dual stack route or IPv4-IPv6 tunnel. A dual stack routing configuration implements dual IP layers, supporting both IPv4 and IPv6, in both hosts and routers. An IPv4-IPv6 tunnel is essentially similar, creating a tunnel that encapsulates IPv6 packets within IPv4 headers that carry these IPv6 packets over IPv4 tunnels. The FortiGate unit can also be easily integrated into an IPv6 network. Connecting the FortiGate unit to an IPv6 network is exactly the same as connecting it to an IPv4 network, the only difference is that you are using IPv6 addresses.

By default the IPv6 settings are not displayed in the GUI. It is just a matter of enabling the display of these feature to use them through the web interface. To enable them just go to System > Feature Select and select IPv6. Once enabled, you will be able to use IPv6 addresses as well as the IPv4 addressing for the following FortiGate firewall features:

  • Static routing
  • Policy Routing
  • Packet and network sniffing
  • Dynamic routing (RIPv6, BGP4+, and OSPFv3)
  • IPsec VPN
  • DNS
  • DHCP
  • SSL VPN
  • Network interface addressing
  • Security Profiles protection
  • Routing access lists and prefix lists
  • NAT and transparent mode
  • NAT 64 and NAT 66
  • IPv6 tunnel over IPv4 and IPv4 tunnel over IPv6
  • Logging and reporting
  • Security policies
  • SNMP
  • Authentication
  • Virtual IPs and groups
  • IPv6 over SCTP
  • IPv6-specific troubleshooting, such as ping6