IPv6 quick start

This section provides an introduction to setting up a few basic IPv6 settings on the FortiGate. See Basic administration for more information about basic FortiGate administration.

This chapter provides instructions for basic IPv6 configuration that should work in most cases, regardless of whether the device has an existing IPv4 configuration or is a new FortiGate device.

The topics covered in this section include:

• Configuring an interface

• Configuring the default route

• Configuring the DNS

• Configuring the address object

• Configuring the address group

• Configuration example

Before starting, make sure to enable the IPv6 feature.

To enable IPv6 in the GUI:

1. Go to System > Feature Visibility.

2. Under Core Features, enable IPv6.

3. Click Apply.

Configuring an interface

To configure an interface in the GUI:

1. Go to Network > Interfaces.

2. Select an interface and click Edit.

3. In the Address section, enter the IPv6 Address/Prefix.

4. In the Administrative Access section, select the IPv6 access options as needed (such as PING, HTTPS, and SSH).

5. Click OK.

To configure an interface in the CLI:

config system interface
    edit <interface name>
        config ipv6
            set ip6-address <IPv6 prefix>
            set ip6-allowaccess{ping | https | ssh | snmp | http | telnet | fgfm | fabric}
        end       
    next
end

Configuring the default route

Setting the default route enables basic routing to allow the FortiGate to return traffic to sources that are not directly connected. The gateway address should be your existing router or L3 switch that the FortiGate is connected to. Set the interface to be the interface the gateway is connected to.

To configure the default route in the GUI:

1. Go to Network > Static Routes.

2. Click Create New > IPv6 Static Route.

3. Leave the Destination prefix as ::/0. This is known as a default route, since it would match any IPv6 address.

4. Enter the Gateway Address.

5. Select an Interface.

6. Click OK.

To configure the default route in the CLI:

config router static6
    edit 0
        set gateway <IPv6 address>
        set device <interface name>
    next
end

Configuring the DNS

To configure a DNS domain list in the GUI:

1. Go to Network > DNS.

2. Under IPv6 DNS Settings, configure the primary and secondary DNS servers as needed.

3. Click Apply.

To configure a DNS domain list in the CLI:

config system dns
    set ip6-primary <IPv6 address>
    set ip6-secondary <IPv6 address>
end

Configuring the address object

Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, and so on. When creating an IPv6 address object, several different types of addresses can be specified similar to IPv4 addresses. See Address Types for more information.

To configure an IPv6 address in the GUI:

1. Go to Policy & Objects > Addresses.

2. Select Create New > Address.

3. In the Category field, select IPv6 Address.

4. Enter a Name for the address object.

5. In the Type field, select one of the types from the dropdown menu.

6. Configure the rest of the settings as required.

7. Click OK.

To configure an IPv6 address in the CLI:

config firewall address6
    edit <name>
        set type {ipprefix | iprange | fqdn | geography | dynamic | template | mac}
    next
end

Configuring the address group

Address groups are designed for ease of use in the administration of the device. See Address group for more information.

To create an address group:

1. Go to Policy & Objects > Addresses.

2. Go to Create New > Address Group.

3. In the Category field, select IPv6 Group.

4. Enter a Group name for the address object.

5. Select the + in the Members field. The Select Entries pane opens.

6. Select members of the group. It is possible to select more than one entry. Select the x icon in the field to remove an entry.

7. Enter any additional information in the Comments field.

8. Click OK.

To configure an address group in the CLI:

config firewall addrgrp6
    edit <name>
        set member <name>
    next
end

Configuration example

In this example, a host belonging to a specific range on the internal IPv6 network can communicate exclusively with the web server and FTP server.

Additionally, all internal clients can access the Internet.

Prerequisites

Before you begin to configure IPv6, please go through the following steps:

1. Obtain an IPv6 /48 global routing prefix, commonly known as a site prefix. To procure a 48-bit IPv6 site prefix for your organization simply liaise with your ISP.

2. Design a subnetting plan for your organization's IPv6 network using a 16-bit subnet ID, allowing for up to 65 535 subnets. The specific scheme will depend on the network's size, structure, and the organization's needs.

At this stage, the following installation and configuration conditions are assumed:

• You have administrative access to the GUI or CLI.

• The FortiGate unit is incorporated into your WAN or other networks, but for simplicity, only the standalone ForiGate configuration is displayed.

Topology

The following topology is used for this example:

• The company is assigned the site prefix of 2001:db8:d0c::/48 by their ISP.

• The IPv6 address for the Web Server is 2001:db8:d0c:3::1/64.

• The IPv6 address for the FTP Server is 2001:db8:d0c:3::2/64.

• The IPv6 address for the TFTP Server is 2001:db8:d0c:3::3/64.

• The range on the internal IPv6 network that can access both servers is from 2001:db8:d0c:2::1 to 2001:db8:d0c:2::32.

• The IPv6 address of port1 is 2001:db8:d0c:1::1/64.

• The IPv6 address of port2 is 2001:db8:d0c:2::f/64.

• The IPv6 address of port3 is 2001:db8:d0c:3::f/64.

• The IPv6 address of the default gateway is 2001:db8:d0c:1::f/64.

Please note that the IPv6 addresses used in this example are for illustrative purposes only and should not be used in your environment. The 2001:db8::/32 prefix is a special IPv6 prefix designated for use in documentation examples. See RFC 3849 for more information.

To configure the example in the GUI:

1. Configure the IPv6 address on port1, port2 and port3:

   1. Go to Network > Interfaces and edit port1.

   2. For IPv6 addressing Mode, select manual and enter the IPv6 Address/Prefix.

      IPv6 Address/Prefix

      2001:db8:d0c:1::1/64

   3. Click OK.

   4. Repeat steps a and b for port2.

      IPv6 Address/Prefix

      2001:db8:d0c:2::f/64

   5. Repeat steps a and b for port3.

      IPv6 Address/Prefix

      2001:db8:d0c:3::f/64

2. Configure the default route:

   1. Go to Network > Static Routes.

   2. Click Create New > IPv6 Static Route.

   3. Configure the following settings:

      Destination	::/0
      Gateway Address	2001:db8:d0c:1::f
      Interface	port1

   4. Select OK.

3. Configure the IPv6 firewall address for the Web Server:

   1. Go to Policy & Objects > Addresses.

   2. Select Create New > Address.

   3. Select IPv6 Address and fill out the fields with the following information:

      Name	Web_Server
      Type	IPv6 Subnet
      IPv6 Address	2001:db8:d0c:3::1/128

   4. Select OK.

4. Configure the IPv6 firewall address for the FTP Server:

   1. Go to Policy & Objects > Addresses.

   2. Select Create New > Address.

   3. Select IPv6 Address and fill out the fields with the following information:

      Name	FTP_Server
      Type	IPv6 Subnet
      IPv6 Address	2001:db8:d0c:3::2/128

   4. Select OK.

5. Configure the IPv6 address group, which includes both the Web and FTP servers:

   1. Go to Policy & Objects > Addresses.

   2. Select Create New > Address Group.

   3. Select IPv6 Group and fill out the fields with the following information:

      Group name	Custom_Server
      Members	Web_Server, FTP_Server

   4. Select OK.

6. Configure the IPv6 firewall address for the Internal IPv6 network range which can access both the Web and FTP server:

   1. Go to Policy & Objects > Addresses.

   2. Select Create New > Address.

   3. Select IPv6 Address and fill out the fields with the following information:

      Name	Internal_Custom_Range
      Type	IPv6 Range
      IP Range	2001:db8:d0c:2::1 - 2001:db8:d0c:2::32

   4. Select OK.

7. Configure the IPv6 firewall policy to allow IPv6 traffic from Internal_Custom_Range to Custom_Server:

   1. Go to Policy & Objects > Firewall Policy.

   2. Click Create New.

   3. Name the policy and configure the following parameters:

      Incoming Interface	port2
      Outgoing Interface	port3
      Source	Internal_Custom_Range
      Destination	Custom_Server
      Schedule	always
      Service	FTP, HTTPS
      Action	ACCEPT

   4. Click OK.

8. Configure the IPv6 firewall policy to allow IPv6 traffic from internal clients to the Internet:

   1. Go to Policy & Objects > Firewall Policy.

   2. Click Create New.

   3. Name the policy and configure the following parameters:

      Incoming Interface	port2
      Outgoing Interface	port1
      Source	all
      Destination	all
      Schedule	always
      Service	ALL
      Action	ACCEPT

   4. Click OK.

To configure the example in the CLI:

1. Configure the IPv6 address on port1, port2, and port3:

   config system interface
       edit "port1"
           config ipv6
               set ip6-address 2001:db8:d0c:1::1/64 
           end
       next
       edit "port2"
           config ipv6
               set ip6-address 2001:db8:d0c:2::f/64 
           end
       next
       edit "port3"
           config ipv6
               set ip6-address 2001:db8:d0c:3::f/64
           end
       next
   end

2. Configure the default route:

   config router static6
       edit 0
           set gateway 2001:db8:d0c:1::f
           set device "port1"
       next
   end

3. Configure the IPv6 firewall address for the Web Server:

   config firewall address6
       edit "Web_Server"
           set ip6 2001:db8:d0c:3::1/128
       next
   end

4. Configure the IPv6 firewall address for the FTP Server:

   config firewall address6
       edit "FTP_Server"
           set ip6 2001:db8:d0c:3::2/128
       next
   end

5. Configure the IPv6 address group, which includes for the Web and FTP Servers:

   config firewall addrgrp6
       edit "Custom_Server"
           set member "FTP_Server" "Web_Server"
       next
   end
   

6. Configure the IPv6 firewall address for the Internal IPv6 network range which can access both the Web and FTP Server:

   config firewall address6
       edit "Internal_Custom_Range"
           set type iprange
           set start-ip 2001:db8:d0c:2::1 
           set end-ip 2001:db8:d0c:2::32
       next
   end

7. Configure the IPv6 firewall policy to allow IPv6 traffic from Internal_Custom_Range to Custom_Server:

   config firewall policy
       edit 1
           set name "IPv6_internal_to_server"
           set srcintf "port2"
           set dstintf "port3"
           set action accept
           set srcaddr6 "Internal_Custom_Range"
           set dstaddr6 "Custom_Server"
           set schedule "always"
           set service "FTP" "HTTPS"
           set utm-status enable
           set logtraffic all
       next
   end
   

8. Configure the IPv6 firewall policy to allow IPv6 traffic from Internal clients to the Internet:

   config firewall policy
       edit 1
           set name "IPv6_internal_to_internet"
           set srcintf "port2"
           set dstintf "port1"
           set action accept
           set srcaddr6 "all"
           set dstaddr6 "all"
           set schedule "always"
           set service "ALL"
           set utm-status enable
           set logtraffic all
       next
   end

Verification

The following commands can be used to verify that IPv6 traffic is entering and leaving the FortiGate as expected. See Debugging the packet flow for more information.

diagnose debug enable 
diagnose debug flow trace start6 200 

The output below indicates that hosts belonging to the Internal_Custom_Range can successfully reach both the Web_Server and FTP_Server defined in the Custom_Server address group.

However, they are unable to reach the TFTP server, as it is not included in the Custom_Server group. Furthermore, hosts with IPv6 addresses that do not belong to the Internal_Custom_Range are not able to access Custom_Server.

Host belonging to Internal_Custom_Range accessing Web_Server:

id=65308 trace_id=21 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet(proto=6, 2001:db8:d0c:2::1:55114->2001:db8:d0c:3::1:443) from port2."
id=65308 trace_id=21 func=resolve_ip6_tuple line=5102 msg="allocate a new session-0000006b"
id=65308 trace_id=21 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0 flags 40000001"
id=65308 trace_id=21 func=fw6_forward_handler line=501 msg="Check policy between port2 -> port3"
id=65308 trace_id=21 func=fw6_forward_handler line=638 msg="Allowed by Policy-1:"

Host belonging to Internal_Custom_Range accessing FTP_Server:

id=65308 trace_id=6 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet(proto=6, 2001:db8:d0c:2::32:50982->2001:db8:d0c:3::2:21) from port2."
id=65308 trace_id=6 func=resolve_ip6_tuple line=5102 msg="allocate a new session-00000053"
id=65308 trace_id=6 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0 flags 40000001"
id=65308 trace_id=6 func=fw6_forward_handler line=501 msg="Check policy between port2 -> port3"
id=65308 trace_id=6 func=fw6_forward_handler line=638 msg="Allowed by Policy-1:"

Host belonging to Internal_Custom_Range accessing TFTP Server:

id=65308 trace_id=17 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet(proto=17, 2001:db8:d0c:2::32:65316->2001:db8:d0c:3::3:69) from port2."
id=65308 trace_id=17 func=resolve_ip6_tuple line=5102 msg="allocate a new session-00000055"
id=65308 trace_id=17 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0 flags 40000001"
id=65308 trace_id=17 func=fw6_forward_handler line=501 msg="Check policy between port2 -> port3"
id=65308 trace_id=17 func=fw6_forward_handler line=530 msg="Denied by forward policy check"

Host not belonging to Internal_Custom_Range accessing FTP_Server:

id=65308 trace_id=1 func=resolve_ip6_tuple_fast line=4962 msg="vd-root:0 received a packet(proto=6, 2001:db8:d0c:2::33:52555->2001:db8:d0c:3::2:21) from port2."
id=65308 trace_id=1 func=resolve_ip6_tuple line=5102 msg="allocate a new session-0000004d"
id=65308 trace_id=1 func=ip6_route_input line=2186 msg="find a route: gw-:: via port3 err 0 flags 40000001"
id=65308 trace_id=1 func=fw6_forward_handler line=501 msg="Check policy between port2 -> port3"
id=65308 trace_id=1 func=fw6_forward_handler line=530 msg="Denied by forward policy check"

Internal clients accessing the Internet:

The output below indicates that internal clients can successfully reach the internet.

1. Go to Log & Report > Forward Traffic.

2. View the log details in the GUI, or download the log file:

   1: date=2023-05-10 time=13:22:54 eventtime=1683750174692262952 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=2001:db8:d0c:2::1 srcport=64780 srcintf="port2" srcintfrole="undefined" dstip=64:ff9b::83fd:21c8 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=15723 proto=6 action="close" policyid=2 policytype="policy" poluuid="ea8a972e-d7e9-51ed-9b29-757f04e7194c" policyname="IPv6_internal_to_internet" srccountry="Reserved" service="HTTPS" trandisp="noop" duration=3 sentbyte=47192 rcvdbyte=13199 sentpkt=49 rcvdpkt=48 appcat="unscanned"
   2: date=2023-05-10 time=13:19:47 eventtime=1683749987902192921 tz="-0700" logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" srcip=2001:db8:d0c:2::33 srcport=51246 srcintf="port2" srcintfrole="undefined" dstip=64:ff9b::349f:31c7 dstport=443 dstintf="port1" dstintfrole="undefined" sessionid=15126 proto=6 action="close" policyid=2 policytype="policy" poluuid="ea8a972e-d7e9-51ed-9b29-757f04e7194c" policyname="IPv6_internal_to_internet" srccountry="Reserved" service="HTTPS" trandisp="noop" duration=59 sentbyte=5109 rcvdbyte=7726 sentpkt=13 rcvdpkt=11 appcat="unscanned"