Fortinet black logo

Administration Guide

ZTNA IPv6 examples

ZTNA IPv6 examples

IPv6 can be configured in ZTNA in several scenarios:

  • IPv6 Client — IPv6 Access Proxy — IPv6 Server

  • IPv6 Client — IPv6 Access Proxy — IPv4 Server

  • IPv4 Client — IPv4 Access Proxy — IPv6 Server

These examples show the basic configuration for each scenario. It is assumed that the EMS fabric connector is already successfully connected.

Example 1: IPv6 Client — IPv6 Access Proxy — IPv6 Server

To configure the FortiGate:
  1. Configure the IPv6 access proxy VIP:

    config firewall vip6
        edit "zv6"
            set type access-proxy
            set extip 2000:172:18:62::66
            set server-type https
            set extport 6443
            set ssl-certificate "cert"
        next
    end
  2. Configure a virtual host:

    config firewall access-proxy-virtual-host
        edit "vhost_ipv6"
            set ssl-certificate "cert"
            set host "qa6.test.com"
        next
    end

    The client uses this address to connect to the access proxy.

  3. Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv6 address to the realserver:

    config firewall access-proxy6
        edit "zs6"
            set vip "zv6"
            config api-gateway6
                edit 1
                    set virtual-host "vhost_ipv6"
                    config realservers
                        edit 1
                            set ip 2000:172:16:200::209
                        next
                    end
                next
            end
        next
    end
  4. Apply the IPv6 access proxy to a proxy policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy6 "zs6"
            set srcintf "port2"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set webfilter-profile "monitor-all"
        next
    end
  5. Apply the IPv6 VIP to a firewall policy:

    config firewall policy
        edit 4
            set name "ZTNA"
            set srcintf "port2"
            set dstintf "any"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "zv6"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
        next
    end
To test the configuration:
  1. On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.

  2. In a browser, connect to https://qa6.test.com:6443.

  3. After device certificate verification, the browser will open up the webpage on the IPv6 real server.

  4. In the Forward Traffic Log, the following log is available:

    3: date=2021-06-25 time=13:38:18 eventtime=1624653498459580215 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=2000:10:1:100::214 srcport=55957 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=2000:172:16:200::209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=92406 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=5 wanin=2031 rcvdbyte=2031 wanout=1332 lanin=1247 sentbyte=1247 lanout=950 appcat="unscanned" utmaction="allow" countweb=1 utmref=65445-0

Example 2: IPv6 Client — IPv6 Access Proxy — IPv4 Server

To configure the FortiGate:
  1. Configure the IPv6 access proxy VIP:

    config firewall vip6
        edit "zv6"
            set type access-proxy
            set extip 2000:172:18:62::66
            set server-type https
            set extport 6443
            set ssl-certificate "cert"
        next
    end
    
  2. Configure a virtual host:

    config firewall access-proxy-virtual-host
        edit "vhost_ipv6"
            set ssl-certificate "cert"
            set host "qa6.test.com"
        next
    end
    

    The client uses this address to connect to the access proxy.

  3. Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv4 address to the realserver:

    config firewall access-proxy6
        edit "zs6"
            set vip "zv6"
            config api-gateway6
                edit 1
                    set virtual-host "vhost_ipv6"
                    config realservers
                        edit 1
                            set ip 172.16.200.209
                        next
                    end
                next
            end
        next
    end
  4. Apply the IPv6 access proxy to a proxy policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy6 "zs6"
            set srcintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set webfilter-profile "monitor-all"
        next
    end
    
  5. Apply the IPv6 VIP to a firewall policy:

    config firewall policy
        edit 4
            set name "ZTNA"
            set srcintf "port2"
            set dstintf "any"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "zv6"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
        next
    end
To test the configuration:
  1. On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.

  2. In a browser, connect to https://qa6.test.com:6443.

  3. After device certificate verification, the browser will open up the webpage on the IPv4 real server.

  4. In the Forward Traffic Log, the following log is available:

    2: date=2021-06-25 time=13:46:54 eventtime=1624654014129553521 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=2000:10:1:100::214 srcport=60530 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=219 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=5 wanin=2028 rcvdbyte=2028 wanout=1321 lanin=1236 sentbyte=1236 lanout=947 appcat="unscanned" utmaction="allow" countweb=1 utmref=65443-14

Example 3: IPv4 Client — IPv4 Access Proxy — IPv6 Server

To configure the FortiGate:
  1. Configure the IPv4 access proxy VIP:

    config firewall vip
        edit "zv4"
            set type access-proxy
            set extip 172.18.62.66
            set extintf “any”
            set server-type https
            set extport 4443
            set ssl-certificate "cert"
        next
    end
    
  2. Configure a virtual host:

    config firewall access-proxy-virtual-host
        edit "vhost_ipv4"
            set ssl-certificate "cert"
            set host "qa.test.com"
        next
    end
    

    The client uses this address to connect to the access proxy.

  3. Configure an IPv4 access proxy and IPv6 api-gateway, apply the VIP and virtual host to it, and assign an IPv6 address to the realserver:

    config firewall access-proxy
        edit "zs4"
            set vip "zv4"
            config api-gateway6
                edit 1
                    set virtual-host "vhost_ipv4"
                    config realservers
                        edit 1
                            set ip 2000:172:16:200::209
                        next
                    end
                next
            end
        next
    end
    
  4. Apply the IPv4 access proxy to a proxy policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy "zs4"
            set srcintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set webfilter-profile "monitor-all"
        next
    end
    
    
  5. Apply the IPv4 VIP to a firewall policy:

    config firewall policy
        edit 4
            set name "ZTNA"
            set srcintf "port2"
            set dstintf "any"
            set action accept
            set srcaddr "all"
            set dstaddr "zv4"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
        next
    end
    
To test the configuration:
  1. On an IPv4 client, ensure that the address qa6.test.com resolves to the IPv4 VIP address of 172.18.62.66.

  2. In a browser, connect to https://qa6.test.com:6443.

  3. After device certificate verification, the browser will open up the webpage on the IPv6 real server.

  4. In the Forward Traffic Log, the following log is available:

    1: date=2021-06-25 time=13:52:30 eventtime=1624654350689576485 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=53492 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=2000:172:16:200::209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=726 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=0 wanin=1901 rcvdbyte=1901 wanout=736 lanin=569 sentbyte=569 lanout=3040 appcat="unscanned" utmaction="allow" countweb=1 utmref=65443-28

ZTNA IPv6 examples

IPv6 can be configured in ZTNA in several scenarios:

  • IPv6 Client — IPv6 Access Proxy — IPv6 Server

  • IPv6 Client — IPv6 Access Proxy — IPv4 Server

  • IPv4 Client — IPv4 Access Proxy — IPv6 Server

These examples show the basic configuration for each scenario. It is assumed that the EMS fabric connector is already successfully connected.

Example 1: IPv6 Client — IPv6 Access Proxy — IPv6 Server

To configure the FortiGate:
  1. Configure the IPv6 access proxy VIP:

    config firewall vip6
        edit "zv6"
            set type access-proxy
            set extip 2000:172:18:62::66
            set server-type https
            set extport 6443
            set ssl-certificate "cert"
        next
    end
  2. Configure a virtual host:

    config firewall access-proxy-virtual-host
        edit "vhost_ipv6"
            set ssl-certificate "cert"
            set host "qa6.test.com"
        next
    end

    The client uses this address to connect to the access proxy.

  3. Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv6 address to the realserver:

    config firewall access-proxy6
        edit "zs6"
            set vip "zv6"
            config api-gateway6
                edit 1
                    set virtual-host "vhost_ipv6"
                    config realservers
                        edit 1
                            set ip 2000:172:16:200::209
                        next
                    end
                next
            end
        next
    end
  4. Apply the IPv6 access proxy to a proxy policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy6 "zs6"
            set srcintf "port2"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set webfilter-profile "monitor-all"
        next
    end
  5. Apply the IPv6 VIP to a firewall policy:

    config firewall policy
        edit 4
            set name "ZTNA"
            set srcintf "port2"
            set dstintf "any"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "zv6"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
        next
    end
To test the configuration:
  1. On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.

  2. In a browser, connect to https://qa6.test.com:6443.

  3. After device certificate verification, the browser will open up the webpage on the IPv6 real server.

  4. In the Forward Traffic Log, the following log is available:

    3: date=2021-06-25 time=13:38:18 eventtime=1624653498459580215 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=2000:10:1:100::214 srcport=55957 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=2000:172:16:200::209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=92406 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=5 wanin=2031 rcvdbyte=2031 wanout=1332 lanin=1247 sentbyte=1247 lanout=950 appcat="unscanned" utmaction="allow" countweb=1 utmref=65445-0

Example 2: IPv6 Client — IPv6 Access Proxy — IPv4 Server

To configure the FortiGate:
  1. Configure the IPv6 access proxy VIP:

    config firewall vip6
        edit "zv6"
            set type access-proxy
            set extip 2000:172:18:62::66
            set server-type https
            set extport 6443
            set ssl-certificate "cert"
        next
    end
    
  2. Configure a virtual host:

    config firewall access-proxy-virtual-host
        edit "vhost_ipv6"
            set ssl-certificate "cert"
            set host "qa6.test.com"
        next
    end
    

    The client uses this address to connect to the access proxy.

  3. Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv4 address to the realserver:

    config firewall access-proxy6
        edit "zs6"
            set vip "zv6"
            config api-gateway6
                edit 1
                    set virtual-host "vhost_ipv6"
                    config realservers
                        edit 1
                            set ip 172.16.200.209
                        next
                    end
                next
            end
        next
    end
  4. Apply the IPv6 access proxy to a proxy policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy6 "zs6"
            set srcintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set webfilter-profile "monitor-all"
        next
    end
    
  5. Apply the IPv6 VIP to a firewall policy:

    config firewall policy
        edit 4
            set name "ZTNA"
            set srcintf "port2"
            set dstintf "any"
            set action accept
            set srcaddr6 "all"
            set dstaddr6 "zv6"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
        next
    end
To test the configuration:
  1. On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.

  2. In a browser, connect to https://qa6.test.com:6443.

  3. After device certificate verification, the browser will open up the webpage on the IPv4 real server.

  4. In the Forward Traffic Log, the following log is available:

    2: date=2021-06-25 time=13:46:54 eventtime=1624654014129553521 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=2000:10:1:100::214 srcport=60530 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=219 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=5 wanin=2028 rcvdbyte=2028 wanout=1321 lanin=1236 sentbyte=1236 lanout=947 appcat="unscanned" utmaction="allow" countweb=1 utmref=65443-14

Example 3: IPv4 Client — IPv4 Access Proxy — IPv6 Server

To configure the FortiGate:
  1. Configure the IPv4 access proxy VIP:

    config firewall vip
        edit "zv4"
            set type access-proxy
            set extip 172.18.62.66
            set extintf “any”
            set server-type https
            set extport 4443
            set ssl-certificate "cert"
        next
    end
    
  2. Configure a virtual host:

    config firewall access-proxy-virtual-host
        edit "vhost_ipv4"
            set ssl-certificate "cert"
            set host "qa.test.com"
        next
    end
    

    The client uses this address to connect to the access proxy.

  3. Configure an IPv4 access proxy and IPv6 api-gateway, apply the VIP and virtual host to it, and assign an IPv6 address to the realserver:

    config firewall access-proxy
        edit "zs4"
            set vip "zv4"
            config api-gateway6
                edit 1
                    set virtual-host "vhost_ipv4"
                    config realservers
                        edit 1
                            set ip 2000:172:16:200::209
                        next
                    end
                next
            end
        next
    end
    
  4. Apply the IPv4 access proxy to a proxy policy:

    config firewall proxy-policy
        edit 1
            set name "ztna_rule"
            set proxy access-proxy
            set access-proxy "zs4"
            set srcintf "port2"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set logtraffic all
            set srcaddr6 "all"
            set dstaddr6 "all"
            set utm-status enable
            set ssl-ssh-profile "custom-deep-inspection"
            set webfilter-profile "monitor-all"
        next
    end
    
    
  5. Apply the IPv4 VIP to a firewall policy:

    config firewall policy
        edit 4
            set name "ZTNA"
            set srcintf "port2"
            set dstintf "any"
            set action accept
            set srcaddr "all"
            set dstaddr "zv4"
            set schedule "always"
            set service "ALL"
            set inspection-mode proxy
            set logtraffic all
            set nat enable
        next
    end
    
To test the configuration:
  1. On an IPv4 client, ensure that the address qa6.test.com resolves to the IPv4 VIP address of 172.18.62.66.

  2. In a browser, connect to https://qa6.test.com:6443.

  3. After device certificate verification, the browser will open up the webpage on the IPv6 real server.

  4. In the Forward Traffic Log, the following log is available:

    1: date=2021-06-25 time=13:52:30 eventtime=1624654350689576485 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=53492 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=2000:172:16:200::209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=726 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=0 wanin=1901 rcvdbyte=1901 wanout=736 lanin=569 sentbyte=569 lanout=3040 appcat="unscanned" utmaction="allow" countweb=1 utmref=65443-28