Fortinet black logo

New Features

7.2.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0

IPv6 feature parity with IPv4 static and policy routes 7.2.1

IPv6 feature parity with IPv4 static and policy routes 7.2.1

This enhancement introduces options in IPv6 static and policy routes for parity with IPv4 static and policy routes.

config router static6
    edit <seq-num>
        set dstaddr <string>
        set weight <integer>  
    next
end

dstaddr <string>

Enter the name of the firewall address or address group.

weight <integer>

Set the administrative weight (0 - 255, default = 0).

 
config router policy6
    edit <seq-num>
        set srcaddr <string>
        set dstaddr <string>
        set action {deny | permit}
        set input-device-negate {enable | disable}
        set src-negate {enable | disable}
        set dst-negate {enable | disable}
    next
end

srcaddr <string>

Enter the source address name.

dstaddr <string>

Enter the destination address name.

action {deny | permit}

Set the action of the policy route:

  • deny: do not search the policy route table.
  • permit: use this policy route for forwarding.

input-device-negate {enable | disable}

Enable/disable negating input device match.

src-negate {enable | disable}

Enable/disable negating source address match.

dst-negate {enable | disable}

Enable/disable negating destination address match.
To configure an IPv6 static route:
config router static6
    edit 10
        set gateway 2000:172:16:200::2
        set device "port1"
        set weight 50
        set dstaddr "2021"
    next
end
To verify the IPv6 static routing table:
# get router info6 routing-table static
Routing table for VRF=0
S       2000:2:2:2::/64 [10/0] via 2000:172:16:200::2, port1, 00:00:03, [1024/50]
S       2001:2:2:2::/64 [10/0] via 2000:172:16:200::2, port1, 00:00:03, [1024/50]
To configure an IPv6 policy route:
config router policy6
    edit 1
        set input-device "port2"
        set input-device-negate enable
        set srcaddr "222" "2000" "20fqdn" "2021"
        set src-negate enable
        set dst "3333::33/128"
        set gateway 2000:172:16:203::2
        set output-device "agg1"
    next
end
To verify the IPv6 policy routing table:
# diagnose firewall proute list
list route policy info(vf=root):

id=1 dscp_tag=0xfc 0xfc flags=0x4 deny tos=0x00 tos_mask=0x00 protocol=6 sport=2-22 iif=72(ipip_A_D) 30(l2t.root) dport=3-33 path(0)
source(1): 10.1.1.1-10.1.1.11
destination(2): 10.100.22.0-10.100.22.255 10.100.2.22-10.100.2.22
source wildcard(2): 22.2.2.2/255.255.255.255 22.2.2.22/255.255.255.255
destination wildcard(2): 33.3.3.3/255.255.255.255 33.3.3.33/255.255.255.255
internet service(3): Act-on-DNS(5242883,0,0,0,0) Act-on-FTP(5242887,0,0,0,0) Act-on-ICMP(5242882,0,0,0,0)
hit_count=3 last_used=2022-06-28 11:05:25
Previous
Next

IPv6 feature parity with IPv4 static and policy routes 7.2.1

This enhancement introduces options in IPv6 static and policy routes for parity with IPv4 static and policy routes.

config router static6
    edit <seq-num>
        set dstaddr <string>
        set weight <integer>  
    next
end

dstaddr <string>

Enter the name of the firewall address or address group.

weight <integer>

Set the administrative weight (0 - 255, default = 0).

 
config router policy6
    edit <seq-num>
        set srcaddr <string>
        set dstaddr <string>
        set action {deny | permit}
        set input-device-negate {enable | disable}
        set src-negate {enable | disable}
        set dst-negate {enable | disable}
    next
end

srcaddr <string>

Enter the source address name.

dstaddr <string>

Enter the destination address name.

action {deny | permit}

Set the action of the policy route:

  • deny: do not search the policy route table.
  • permit: use this policy route for forwarding.

input-device-negate {enable | disable}

Enable/disable negating input device match.

src-negate {enable | disable}

Enable/disable negating source address match.

dst-negate {enable | disable}

Enable/disable negating destination address match.
To configure an IPv6 static route:
config router static6
    edit 10
        set gateway 2000:172:16:200::2
        set device "port1"
        set weight 50
        set dstaddr "2021"
    next
end
To verify the IPv6 static routing table:
# get router info6 routing-table static
Routing table for VRF=0
S       2000:2:2:2::/64 [10/0] via 2000:172:16:200::2, port1, 00:00:03, [1024/50]
S       2001:2:2:2::/64 [10/0] via 2000:172:16:200::2, port1, 00:00:03, [1024/50]
To configure an IPv6 policy route:
config router policy6
    edit 1
        set input-device "port2"
        set input-device-negate enable
        set srcaddr "222" "2000" "20fqdn" "2021"
        set src-negate enable
        set dst "3333::33/128"
        set gateway 2000:172:16:203::2
        set output-device "agg1"
    next
end
To verify the IPv6 policy routing table:
# diagnose firewall proute list
list route policy info(vf=root):

id=1 dscp_tag=0xfc 0xfc flags=0x4 deny tos=0x00 tos_mask=0x00 protocol=6 sport=2-22 iif=72(ipip_A_D) 30(l2t.root) dport=3-33 path(0)
source(1): 10.1.1.1-10.1.1.11
destination(2): 10.100.22.0-10.100.22.255 10.100.2.22-10.100.2.22
source wildcard(2): 22.2.2.2/255.255.255.255 22.2.2.22/255.255.255.255
destination wildcard(2): 33.3.3.3/255.255.255.255 33.3.3.33/255.255.255.255
internet service(3): Act-on-DNS(5242883,0,0,0,0) Act-on-FTP(5242887,0,0,0,0) Act-on-ICMP(5242882,0,0,0,0)
hit_count=3 last_used=2022-06-28 11:05:25
Previous
Next