ZTNA IPv6 examples

IPv6 can be configured in ZTNA in several scenarios:

  • IPv6 Client — IPv6 Access Proxy — IPv6 Server

  • IPv6 Client — IPv6 Access Proxy — IPv4 Server

  • IPv4 Client — IPv4 Access Proxy — IPv6 Server

These examples show the basic configuration for each scenario. It is assumed that the EMS fabric connector is already successfully connected.

Example 1: IPv6 Client — IPv6 Access Proxy — IPv6 Server

To configure the FortiGate:
  1. Configure the IPv6 access proxy VIP:

    config firewall vip6
        edit "zv6"
            set type access-proxy
            set extip 2000:172:18:62::66
            set server-type https
            set extport 6443
            set ssl-certificate "cert"
        next
    end
  2. Configure a virtual host:

    config firewall access-proxy-virtual-host
        edit "vhost_ipv6"
            set ssl-certificate "cert"
            set host "qa6.test.com"
        next
    end

    The client uses this address to connect to the access proxy.

  3. Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv6 address to the realserver:

    config firewall access-proxy6
        edit "zs6"
            set vip "zv6"
            config api-gateway6
                edit 1
                    set virtual-host "vhost_ipv6"
                    config realservers
                        edit 1
                            set ip 2000:172:16:200::209
                        next
                    end
                next
            end
        next
    end
  4. Apply the IPv6 access proxy to a proxy policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy6 "zs6"
            set srcintf "port2"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set webfilter-profile "monitor-all"
        next
    end
  5. Apply the IPv6 VIP to a firewall policy:

    config firewall policy
        edit 4
            set name "ZTNA"
            set srcintf "port2"
            set dstintf "any"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "zv6"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
        next
    end
To test the configuration:
  1. On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.