Fortinet Document Library

Version:

7.0.4
7.0.3
7.0.2

Version:

7.0.1
7.0.0
6.4.8

Version:

6.4.7
6.4.6
6.4.5

Version:

6.4.4
6.4.3
6.4.2

Version:

6.4.1
6.4.0

Table of Contents

Administration Guide

7.0.1
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Download PDF
Copy Link

IPv6 MAC addresses and usage in firewall policies

Users can define IPv6 MAC addresses that can be applied to the following policies:

  • Firewall
  • Virtual wire pair
  • ACL/DoS
  • Central NAT
  • NAT64
  • Local-in

In FortiOS, you can configure a firewall address object with a singular MAC, wildcard MAC, multiple MACs, or a MAC range. In this example, a firewall policy is configured in a NAT mode VDOM with the IPv6 MAC address as a source address.

Note

IPv6 MAC addresses cannot be used as destination addresses in VDOMs when in NAT operation mode.
To configure IPv6 MAC addresses in a policy in the GUI:
  1. Create the MAC address:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. For Category, select IPv6 Address.
    3. Enter an address name.
    4. For Type, select Device (MAC Address).
    5. Enter the the MAC address.

    6. Click OK.
  2. Configure the policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select the IPv6 MAC address object.
    3. Configure the other settings as needed.
    4. Click OK.
To configure IPv6 MAC addresses in a policy in the CLI:
  1. Create the MAC address:
    config firewall address6
    edit "test-ipv6-mac-addr-1"
        set type mac
        set macaddr 00:0c:29:b5:92:8d
    next
end
  2. Configure the policy:
    config firewall policy
    edit 2
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "test-ipv6-mac-addr-1" "2000-10-1-100-0"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end

IPv6 MAC addresses and usage in firewall policies

Users can define IPv6 MAC addresses that can be applied to the following policies:

  • Firewall
  • Virtual wire pair
  • ACL/DoS
  • Central NAT
  • NAT64
  • Local-in

In FortiOS, you can configure a firewall address object with a singular MAC, wildcard MAC, multiple MACs, or a MAC range. In this example, a firewall policy is configured in a NAT mode VDOM with the IPv6 MAC address as a source address.

Note

IPv6 MAC addresses cannot be used as destination addresses in VDOMs when in NAT operation mode.
To configure IPv6 MAC addresses in a policy in the GUI:
  1. Create the MAC address:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. For Category, select IPv6 Address.
    3. Enter an address name.
    4. For Type, select Device (MAC Address).
    5. Enter the the MAC address.

    6. Click OK.
  2. Configure the policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select the IPv6 MAC address object.
    3. Configure the other settings as needed.
    4. Click OK.
To configure IPv6 MAC addresses in a policy in the CLI:
  1. Create the MAC address:
    config firewall address6
    edit "test-ipv6-mac-addr-1"
        set type mac
        set macaddr 00:0c:29:b5:92:8d
    next
end
  2. Configure the policy:
    config firewall policy
    edit 2
        set srcintf "wan2"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "test-ipv6-mac-addr-1" "2000-10-1-100-0"
        set dstaddr6 "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set auto-asic-offload disable
        set nat enable
    next
end