IPv6 quick start
This section provides an introduction to setting up a few basic IPv6 settings on the FortiGate. See Basic administration for more information about basic FortiGate administration.
This chapter provides instructions for basic IPv6 configuration that should work in most cases, regardless of whether the device has an existing IPv4 configuration or is a new FortiGate device. |
The topics covered in this section include:
Before starting, make sure to enable the IPv6 feature.
To enable IPv6 in the GUI:
-
Go to System > Feature Visibility.
-
Under Core Features, enable IPv6.
-
Click Apply.
Configuring an interface
To configure an interface in the GUI:
-
Go to Network > Interfaces.
-
Select an interface and click Edit.
-
In the Address section, enter the IPv6 Address/Prefix.
-
In the Administrative Access section, select the IPv6 access options as needed (such as PING, HTTPS, and SSH).
-
Click OK.
To configure an interface in the CLI:
config system interface edit <interface name> config ipv6 set ip6-address <IPv6 prefix> set ip6-allowaccess{ping | https | ssh | snmp | http | telnet | fgfm | fabric} end next end
Configuring the default route
Setting the default route enables basic routing to allow the FortiGate to return traffic to sources that are not directly connected. The gateway address should be your existing router or L3 switch that the FortiGate is connected to. Set the interface to be the interface the gateway is connected to.
To configure the default route in the GUI:
-
Go to Network > Static Routes.
-
Click Create New > IPv6 Static Route.
-
Leave the Destination prefix as ::/0. This is known as a default route, since it would match any IPv6 address.
-
Enter the Gateway Address.
-
Select an Interface.
-
Click OK.
To configure the default route in the CLI:
config router static6 edit 0 set gateway <IPv6 address> set device <interface name> next end
Configuring the DNS
To configure a DNS domain list in the GUI:
-
Go to Network > DNS.
-
Under IPv6 DNS Settings, configure the primary and secondary DNS servers as needed.
-
Click Apply.
To configure a DNS domain list in the CLI:
config system dns set ip6-primary <IPv6 address> set ip6-secondary <IPv6 address> end
Configuring the address object
Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, and so on. When creating an IPv6 address object, several different types of addresses can be specified similar to IPv4 addresses. See Address Types for more information.
To configure an IPv6 address in the GUI:
-
Go to Policy & Objects > Addresses.
-
Select Create New > Address.
-
In the Category field, select IPv6 Address.
-
Enter a Name for the address object.
-
In the Type field, select one of the types from the dropdown menu.
-
Configure the rest of the settings as required.
-
Click OK.
To configure an IPv6 address in the CLI:
config firewall address6 edit <name> set type {ipprefix | iprange | fqdn | geography | dynamic | template | mac} next end
Configuring the address group
Address groups are designed for ease of use in the administration of the device. See Address group for more information.
To create an address group:
-
Go to Policy & Objects > Addresses.
-
Go to Create New > Address Group.
-
In the Category field, select IPv6 Group.
-
Enter a Group name for the address object.
-
Select the + in the Members field. The Select Entries pane opens.
-
Select members of the group. It is possible to select more than one entry. Select the x icon in the field to remove an entry.
-
Enter any additional information in the Comments field.
-
Click OK.
To configure an address group in the CLI:
config firewall addrgrp6 edit <name> set member <name> next end
Configuring the firewall policy
A firewall policy must be in place for any traffic that passes through a FortiGate. See Firewall policy parameters for more information.
To create a firewall policy in the GUI:
-
Go to Policy & Objects > Firewall Policy.
-
Enter a Name and configure the following necessary settings:
Incoming Interface Incoming (ingress) interface Outgoing Interface Outgoing (egress) interface Source Source IPv6 address name and address group names Destination Destination IPv6 address name and address group names Schedule Schedule name Service Service and service group names Action Policy action
To configure a firewall policy in the CLI:
config firewall policy edit <policyid> set srcintf <name> set dstintf <name> set action {accept | deny} set srcaddr6 <name> set dstaddr6 <name> set schedule <name> set service <name> next end
See IPv6 quick start example for a sample configuration.