ZTNA IPv6 examples
IPv6 can be configured in ZTNA in several scenarios:
-
IPv6 Client — IPv6 Access Proxy — IPv6 Server
-
IPv6 Client — IPv6 Access Proxy — IPv4 Server
-
IPv4 Client — IPv4 Access Proxy — IPv6 Server
These examples show the basic configuration for each scenario. It is assumed that the EMS fabric connector is already successfully connected.
Example 1: IPv6 Client — IPv6 Access Proxy — IPv6 Server
To configure the FortiGate:
-
Configure the IPv6 access proxy VIP:
config firewall vip6 edit "zv6" set type access-proxy set extip 2000:172:18:62::66 set server-type https set extport 6443 set ssl-certificate "cert" next end -
Configure a virtual host:
config firewall access-proxy-virtual-host edit "vhost_ipv6" set ssl-certificate "cert" set host "qa6.test.com" next endThe client uses this address to connect to the access proxy.
-
Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv6 address to the realserver:
config firewall access-proxy6 edit "zs6" set vip "zv6" config api-gateway6 edit 1 set virtual-host "vhost_ipv6" config realservers edit 1 set ip 2000:172:16:200::209 next end next end next end -
Apply the IPv6 access proxy to a proxy policy:
config firewall proxy-policy edit 1 set name "ztna_rule" set proxy access-proxy set access-proxy6 "zs6" set srcintf "port2" set action accept set schedule "always" set logtraffic all set srcaddr6 "all" set dstaddr6 "all" set utm-status enable set ssl-ssh-profile "custom-deep-inspection" set webfilter-profile "monitor-all" next end -
Apply the IPv6 VIP to a firewall policy:
config firewall policy edit 4 set name "ZTNA" set srcintf "port2" set dstintf "any" set action accept set srcaddr6 "all" set dstaddr6 "zv6" set schedule "always" set service "ALL" set inspection-mode proxy set logtraffic all set nat enable next end
To test the configuration:
-
On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.
-
In a browser, connect to https://qa6.test.com:6443.
-
After device certificate verification, the browser will open up the webpage on the IPv6 real server.
-
In the Forward Traffic Log, the following log is available:
3: date=2021-06-25 time=13:38:18 eventtime=1624653498459580215 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=2000:10:1:100::214 srcport=55957 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=2000:172:16:200::209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=92406 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=5 wanin=2031 rcvdbyte=2031 wanout=1332 lanin=1247 sentbyte=1247 lanout=950 appcat="unscanned" utmaction="allow" countweb=1 utmref=65445-0
Example 2: IPv6 Client — IPv6 Access Proxy — IPv4 Server
To configure the FortiGate:
-
Configure the IPv6 access proxy VIP:
config firewall vip6 edit "zv6" set type access-proxy set extip 2000:172:18:62::66 set server-type https set extport 6443 set ssl-certificate "cert" next end -
Configure a virtual host:
config firewall access-proxy-virtual-host edit "vhost_ipv6" set ssl-certificate "cert" set host "qa6.test.com" next endThe client uses this address to connect to the access proxy.
-
Configure an IPv6 access proxy and IPv6 api-gateway, apply the VIP6 and virtual host to it, and assign an IPv4 address to the realserver:
config firewall access-proxy6 edit "zs6" set vip "zv6" config api-gateway6 edit 1 set virtual-host "vhost_ipv6" config realservers edit 1 set ip 172.16.200.209 next end next end next end -
Apply the IPv6 access proxy to a proxy policy:
config firewall proxy-policy edit 1 set name "ztna_rule" set proxy access-proxy set access-proxy6 "zs6" set srcintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set logtraffic all set srcaddr6 "all" set dstaddr6 "all" set utm-status enable set ssl-ssh-profile "custom-deep-inspection" set webfilter-profile "monitor-all" next end -
Apply the IPv6 VIP to a firewall policy:
config firewall policy edit 4 set name "ZTNA" set srcintf "port2" set dstintf "any" set action accept set srcaddr6 "all" set dstaddr6 "zv6" set schedule "always" set service "ALL" set inspection-mode proxy set logtraffic all set nat enable next end
To test the configuration:
-
On an IPv6 client, ensure that the address qa6.test.com resolves to the IPv6 VIP address of 2000:172:18:62::66.
-
In a browser, connect to https://qa6.test.com:6443.
-
After device certificate verification, the browser will open up the webpage on the IPv4 real server.
-
In the Forward Traffic Log, the following log is available:
2: date=2021-06-25 time=13:46:54 eventtime=1624654014129553521 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=2000:10:1:100::214 srcport=60530 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=172.16.200.209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=219 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=5 wanin=2028 rcvdbyte=2028 wanout=1321 lanin=1236 sentbyte=1236 lanout=947 appcat="unscanned" utmaction="allow" countweb=1 utmref=65443-14
Example 3: IPv4 Client — IPv4 Access Proxy — IPv6 Server
To configure the FortiGate:
-
Configure the IPv4 access proxy VIP:
config firewall vip edit "zv4" set type access-proxy set extip 172.18.62.66 set extintf “any” set server-type https set extport 4443 set ssl-certificate "cert" next end -
Configure a virtual host:
config firewall access-proxy-virtual-host edit "vhost_ipv4" set ssl-certificate "cert" set host "qa.test.com" next endThe client uses this address to connect to the access proxy.
-
Configure an IPv4 access proxy and IPv6 api-gateway, apply the VIP and virtual host to it, and assign an IPv6 address to the realserver:
config firewall access-proxy edit "zs4" set vip "zv4" config api-gateway6 edit 1 set virtual-host "vhost_ipv4" config realservers edit 1 set ip 2000:172:16:200::209 next end next end next end -
Apply the IPv4 access proxy to a proxy policy:
config firewall proxy-policy edit 1 set name "ztna_rule" set proxy access-proxy set access-proxy "zs4" set srcintf "port2" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set logtraffic all set srcaddr6 "all" set dstaddr6 "all" set utm-status enable set ssl-ssh-profile "custom-deep-inspection" set webfilter-profile "monitor-all" next end -
Apply the IPv4 VIP to a firewall policy:
config firewall policy edit 4 set name "ZTNA" set srcintf "port2" set dstintf "any" set action accept set srcaddr "all" set dstaddr "zv4" set schedule "always" set service "ALL" set inspection-mode proxy set logtraffic all set nat enable next end
To test the configuration:
-
On an IPv4 client, ensure that the address qa6.test.com resolves to the IPv4 VIP address of 172.18.62.66.
-
In a browser, connect to https://qa6.test.com:6443.
-
After device certificate verification, the browser will open up the webpage on the IPv6 real server.
-
In the Forward Traffic Log, the following log is available:
1: date=2021-06-25 time=13:52:30 eventtime=1624654350689576485 tz="-0700" logid="0000000024" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.1.100.206 srcport=53492 srcintf="port2" srcintfrole="undefined" dstcountry="Reserved" srccountry="Reserved" dstip=2000:172:16:200::209 dstport=443 dstintf="root" dstintfrole="undefined" sessionid=726 service="HTTPS" proto=6 action="accept" policyid=1 policytype="proxy-policy" poluuid="7afdac8c-d5db-51eb-dfc6-67bb86e4bdcf" policyname="ztna_rule" duration=0 wanin=1901 rcvdbyte=1901 wanout=736 lanin=569 sentbyte=569 lanout=3040 appcat="unscanned" utmaction="allow" countweb=1 utmref=65443-28