Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.2.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    IPv6 feature parity with IPv4 static and policy routes 7.2.1

    IPv6 feature parity with IPv4 static and policy routes 7.2.1

    This enhancement introduces options in IPv6 static and policy routes for parity with IPv4 static and policy routes.

    config router static6
    edit <seq-num>
        set dstaddr <string>
        set weight <integer>  
    next
end

    dstaddr <string>

    Enter the name of the firewall address or address group.

    weight <integer>

    Set the administrative weight (0 - 255, default = 0).

    		 
    config router policy6
    edit <seq-num>
        set srcaddr <string>
        set dstaddr <string>
        set action {deny | permit}
        set input-device-negate {enable | disable}
        set src-negate {enable | disable}
        set dst-negate {enable | disable}
    next
end

    srcaddr <string>

    Enter the source address name.

    dstaddr <string>

    Enter the destination address name.

    action {deny | permit}

    Set the action of the policy route:

    • deny: do not search the policy route table.
    • permit: use this policy route for forwarding.

    input-device-negate {enable | disable}

    Enable/disable negating input device match.

    src-negate {enable | disable}

    Enable/disable negating source address match.

    dst-negate {enable | disable}

    Enable/disable negating destination address match.
    To configure an IPv6 static route:
    config router static6
    edit 10
        set gateway 2000:172:16:200::2
        set device "port1"
        set weight 50
        set dstaddr "2021"
    next
end
    To verify the IPv6 static routing table:
    # get router info6 routing-table static
Routing table for VRF=0
S       2000:2:2:2::/64 [10/0] via 2000:172:16:200::2, port1, 00:00:03, [1024/50]
S       2001:2:2:2::/64 [10/0] via 2000:172:16:200::2, port1, 00:00:03, [1024/50]
    To configure an IPv6 policy route:
    config router policy6
    edit 1
        set input-device "port2"
        set input-device-negate enable
        set srcaddr "222" "2000" "20fqdn" "2021"
        set src-negate enable
        set dst "3333::33/128"
        set gateway 2000:172:16:203::2
        set output-device "agg1"
    next
end
    To verify the IPv6 policy routing table:
    # diagnose firewall proute list
list route policy info(vf=root):

id=1 dscp_tag=0xfc 0xfc flags=0x4 deny tos=0x00 tos_mask=0x00 protocol=6 sport=2-22 iif=72(ipip_A_D) 30(l2t.root) dport=3-33 path(0)
source(1): 10.1.1.1-10.1.1.11
destination(2): 10.100.22.0-10.100.22.255 10.100.2.22-10.100.2.22
source wildcard(2): 22.2.2.2/255.255.255.255 22.2.2.22/255.255.255.255
destination wildcard(2): 33.3.3.3/255.255.255.255 33.3.3.33/255.255.255.255
internet service(3): Act-on-DNS(5242883,0,0,0,0) Act-on-FTP(5242887,0,0,0,0) Act-on-ICMP(5242882,0,0,0,0)
hit_count=3 last_used=2022-06-28 11:05:25
    Previous
    Next

    IPv6 feature parity with IPv4 static and policy routes 7.2.1

    IPv6 feature parity with IPv4 static and policy routes 7.2.1

    This enhancement introduces options in IPv6 static and policy routes for parity with IPv4 static and policy routes.

    config router static6
    edit <seq-num>
        set dstaddr <string>
        set weight <integer>  
    next
end

    dstaddr <string>

    Enter the name of the firewall address or address group.

    weight <integer>

    Set the administrative weight (0 - 255, default = 0).

    		 
    config router policy6
    edit <seq-num>
        set srcaddr <string>
        set dstaddr <string>
        set action {deny | permit}
        set input-device-negate {enable | disable}
        set src-negate {enable | disable}
        set dst-negate {enable | disable}
    next
end

    srcaddr <string>

    Enter the source address name.

    dstaddr <string>

    Enter the destination address name.

    action {deny | permit}

    Set the action of the policy route:

    • deny: do not search the policy route table.
    • permit: use this policy route for forwarding.

    input-device-negate {enable | disable}

    Enable/disable negating input device match.

    src-negate {enable | disable}

    Enable/disable negating source address match.

    dst-negate {enable | disable}

    Enable/disable negating destination address match.
    To configure an IPv6 static route:
    config router static6
    edit 10
        set gateway 2000:172:16:200::2
        set device "port1"
        set weight 50
        set dstaddr "2021"
    next
end
    To verify the IPv6 static routing table:
    # get router info6 routing-table static
Routing table for VRF=0
S       2000:2:2:2::/64 [10/0] via 2000:172:16:200::2, port1, 00:00:03, [1024/50]
S       2001:2:2:2::/64 [10/0] via 2000:172:16:200::2, port1, 00:00:03, [1024/50]
    To configure an IPv6 policy route:
    config router policy6
    edit 1
        set input-device "port2"
        set input-device-negate enable
        set srcaddr "222" "2000" "20fqdn" "2021"
        set src-negate enable
        set dst "3333::33/128"
        set gateway 2000:172:16:203::2
        set output-device "agg1"
    next
end
    To verify the IPv6 policy routing table:
    # diagnose firewall proute list
list route policy info(vf=root):

id=1 dscp_tag=0xfc 0xfc flags=0x4 deny tos=0x00 tos_mask=0x00 protocol=6 sport=2-22 iif=72(ipip_A_D) 30(l2t.root) dport=3-33 path(0)
source(1): 10.1.1.1-10.1.1.11
destination(2): 10.100.22.0-10.100.22.255 10.100.2.22-10.100.2.22
source wildcard(2): 22.2.2.2/255.255.255.255 22.2.2.22/255.255.255.255
destination wildcard(2): 33.3.3.3/255.255.255.255 33.3.3.33/255.255.255.255
internet service(3): Act-on-DNS(5242883,0,0,0,0) Act-on-FTP(5242887,0,0,0,0) Act-on-ICMP(5242882,0,0,0,0)
hit_count=3 last_used=2022-06-28 11:05:25
    Previous
    Next