Fortinet black logo

Administration Guide

IPv6 MAC addresses and usage in firewall policies

IPv6 MAC addresses and usage in firewall policies

Users can define IPv6 MAC addresses that can be applied to the following policies:

  • Firewall
  • Virtual wire pair
  • ACL/DoS
  • Central NAT
  • NAT64
  • Local-in

In FortiOS, you can configure a firewall address object with a singular MAC, wildcard MAC, multiple MACs, or a MAC range. In this example, a firewall policy is configured in a NAT mode VDOM with the IPv6 MAC address as a source address.

Note

IPv6 MAC addresses cannot be used as destination addresses in VDOMs when in NAT operation mode.

To configure IPv6 MAC addresses in a policy in the GUI:
  1. Create the MAC address:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. For Category, select IPv6 Address.
    3. Enter an address name.
    4. For Type, select Device (MAC Address).
    5. Enter the the MAC address.

    6. Click OK.
  2. Configure the policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select the IPv6 MAC address object.
    3. Configure the other settings as needed.
    4. Click OK.
To configure IPv6 MAC addresses in a policy in the CLI:
  1. Create the MAC address:
    config firewall address6
        edit "test-ipv6-mac-addr-1"
            set type mac
            set macaddr 00:0c:29:b5:92:8d
        next
    end
  2. Configure the policy:
    config firewall policy
        edit 2
            set srcintf "wan2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "test-ipv6-mac-addr-1" "2000-10-1-100-0"
            set dstaddr6 "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set auto-asic-offload disable
            set nat enable
        next
    end

IPv6 MAC addresses and usage in firewall policies

Users can define IPv6 MAC addresses that can be applied to the following policies:

  • Firewall
  • Virtual wire pair
  • ACL/DoS
  • Central NAT
  • NAT64
  • Local-in

In FortiOS, you can configure a firewall address object with a singular MAC, wildcard MAC, multiple MACs, or a MAC range. In this example, a firewall policy is configured in a NAT mode VDOM with the IPv6 MAC address as a source address.

Note

IPv6 MAC addresses cannot be used as destination addresses in VDOMs when in NAT operation mode.

To configure IPv6 MAC addresses in a policy in the GUI:
  1. Create the MAC address:
    1. Go to Policy & Objects > Addresses and click Create New > Address.
    2. For Category, select IPv6 Address.
    3. Enter an address name.
    4. For Type, select Device (MAC Address).
    5. Enter the the MAC address.

    6. Click OK.
  2. Configure the policy:
    1. Go to Policy & Objects > Firewall Policy and click Create New.
    2. For Source, select the IPv6 MAC address object.
    3. Configure the other settings as needed.
    4. Click OK.
To configure IPv6 MAC addresses in a policy in the CLI:
  1. Create the MAC address:
    config firewall address6
        edit "test-ipv6-mac-addr-1"
            set type mac
            set macaddr 00:0c:29:b5:92:8d
        next
    end
  2. Configure the policy:
    config firewall policy
        edit 2
            set srcintf "wan2"
            set dstintf "wan1"
            set srcaddr "all"
            set dstaddr "all"
            set srcaddr6 "test-ipv6-mac-addr-1" "2000-10-1-100-0"
            set dstaddr6 "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set logtraffic all
            set auto-asic-offload disable
            set nat enable
        next
    end