Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.0 Administration Guide
    7.4.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    IPv6 quick start

    IPv6 quick start

    This section provides an introduction to setting up a few basic IPv6 settings on the FortiGate. See Basic administration for more information about basic FortiGate administration.

    Note

    This chapter provides instructions for basic IPv6 configuration that should work in most cases, regardless of whether the device has an existing IPv4 configuration or is a new FortiGate device.

    The topics covered in this section include:

    Before starting, make sure to enable the IPv6 feature.

    To enable IPv6 in the GUI:

    1. Go to System > Feature Visibility.

    2. Under Core Features, enable IPv6.

    3. Click Apply.

    Configuring an interface

    To configure an interface in the GUI:

    1. Go to Network > Interfaces.

    2. Select an interface and click Edit.

    3. In the Address section, enter the IPv6 Address/Prefix.

    4. In the Administrative Access section, select the IPv6 access options as needed (such as PING, HTTPS, and SSH).

    5. Click OK.

    To configure an interface in the CLI:
    config system interface
    edit <interface name>
        config ipv6
            set ip6-address <IPv6 prefix>
            set ip6-allowaccess{ping | https | ssh | snmp | http | telnet | fgfm | fabric}
        end       
    next
end

    Configuring the default route

    Setting the default route enables basic routing to allow the FortiGate to return traffic to sources that are not directly connected. The gateway address should be your existing router or L3 switch that the FortiGate is connected to. Set the interface to be the interface the gateway is connected to.

    To configure the default route in the GUI:

    1. Go to Network > Static Routes.

    2. Click Create New > IPv6 Static Route.

    3. Leave the Destination prefix as ::/0. This is known as a default route, since it would match any IPv6 address.

    4. Enter the Gateway Address.

    5. Select an Interface.

    6. Click OK.

    To configure the default route in the CLI:
    config router static6
    edit 0
        set gateway <IPv6 address>
        set device <interface name>
    next
end

    Configuring the DNS

    To configure a DNS domain list in the GUI:

    1. Go to Network > DNS.

    2. Under IPv6 DNS Settings, configure the primary and secondary DNS servers as needed.

    3. Click Apply.

    To configure a DNS domain list in the CLI:
    config system dns
    set ip6-primary <IPv6 address>
    set ip6-secondary <IPv6 address>
end

    Configuring the address object

    Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, and so on. When creating an IPv6 address object, several different types of addresses can be specified similar to IPv4 addresses. See Address Types for more information.

    To configure an IPv6 address in the GUI:

    1. Go to Policy & Objects > Addresses.

    2. Select Create New > Address.

    3. In the Category field, select IPv6 Address.

    4. Enter a Name for the address object.

    5. In the Type field, select one of the types from the dropdown menu.

    6. Configure the rest of the settings as required.

    7. Click OK.

    To configure an IPv6 address in the CLI:
    config firewall address6
    edit <name>
        set type {ipprefix | iprange | fqdn | geography | dynamic | template | mac | route-tag}
    next
end

    Configuring the address group

    Address groups are designed for ease of use in the administration of the device. See Address group for more information.

    To create an address group:

    1. Go to Policy & Objects > Addresses.

    2. Go to Create New > Address Group.

    3. In the Category field, select IPv6 Group.

    4. Enter a Group name for the address object.

    5. Select the + in the Members field. The Select Entries pane opens.

    6. Select members of the group. It is possible to select more than one entry. Select the x icon in the field to remove an entry.

    7. Enter any additional information in the Comments field.

    8. Click OK.

    To configure an address group in the CLI:
    config firewall addrgrp6
    edit <name>
        set member <name>
    next
end

    Configuring the firewall policy

    A firewall policy must be in place for any traffic that passes through a FortiGate. See Firewall policy for more information.

    To create a firewall policy in the GUI:

    1. Go to Policy & Objects > Firewall Policy.

    2. Enter a Name and configure the following necessary settings:

      Incoming Interface Incoming (ingress) interface
      Outgoing Interface Outgoing (egress) interface
      Source Source IPv6 address name and address group names
      Destination Destination IPv6 address name and address group names
      Schedule Schedule name
      Service Service and service group names
      Action Policy action
    To configure a firewall policy in the CLI:
    config firewall policy
    edit <policyid>
        set srcintf <name>
        set dstintf <name>
        set action {accept | deny}
        set srcaddr6 <name>
        set dstaddr6 <name>
        set schedule <name>
        set service <name>
    next
end

    See IPv6 quick start example for a sample configuration.

    Previous
    Next

    IPv6 quick start

    IPv6 quick start

    This section provides an introduction to setting up a few basic IPv6 settings on the FortiGate. See Basic administration for more information about basic FortiGate administration.

    Note

    This chapter provides instructions for basic IPv6 configuration that should work in most cases, regardless of whether the device has an existing IPv4 configuration or is a new FortiGate device.

    The topics covered in this section include:

    Before starting, make sure to enable the IPv6 feature.

    To enable IPv6 in the GUI:

    1. Go to System > Feature Visibility.

    2. Under Core Features, enable IPv6.

    3. Click Apply.

    Configuring an interface

    To configure an interface in the GUI:

    1. Go to Network > Interfaces.

    2. Select an interface and click Edit.

    3. In the Address section, enter the IPv6 Address/Prefix.

    4. In the Administrative Access section, select the IPv6 access options as needed (such as PING, HTTPS, and SSH).

    5. Click OK.

    To configure an interface in the CLI:
    config system interface
    edit <interface name>
        config ipv6
            set ip6-address <IPv6 prefix>
            set ip6-allowaccess{ping | https | ssh | snmp | http | telnet | fgfm | fabric}
        end       
    next
end

    Configuring the default route

    Setting the default route enables basic routing to allow the FortiGate to return traffic to sources that are not directly connected. The gateway address should be your existing router or L3 switch that the FortiGate is connected to. Set the interface to be the interface the gateway is connected to.

    To configure the default route in the GUI:

    1. Go to Network > Static Routes.

    2. Click Create New > IPv6 Static Route.

    3. Leave the Destination prefix as ::/0. This is known as a default route, since it would match any IPv6 address.

    4. Enter the Gateway Address.

    5. Select an Interface.

    6. Click OK.

    To configure the default route in the CLI:
    config router static6
    edit 0
        set gateway <IPv6 address>
        set device <interface name>
    next
end

    Configuring the DNS

    To configure a DNS domain list in the GUI:

    1. Go to Network > DNS.

    2. Under IPv6 DNS Settings, configure the primary and secondary DNS servers as needed.

    3. Click Apply.

    To configure a DNS domain list in the CLI:
    config system dns
    set ip6-primary <IPv6 address>
    set ip6-secondary <IPv6 address>
end

    Configuring the address object

    Addresses define sources and destinations of network traffic and can be used in many functions such as firewall policies, ZTNA, and so on. When creating an IPv6 address object, several different types of addresses can be specified similar to IPv4 addresses. See Address Types for more information.

    To configure an IPv6 address in the GUI:

    1. Go to Policy & Objects > Addresses.

    2. Select Create New > Address.

    3. In the Category field, select IPv6 Address.

    4. Enter a Name for the address object.

    5. In the Type field, select one of the types from the dropdown menu.

    6. Configure the rest of the settings as required.

    7. Click OK.

    To configure an IPv6 address in the CLI:
    config firewall address6
    edit <name>
        set type {ipprefix | iprange | fqdn | geography | dynamic | template | mac | route-tag}
    next
end

    Configuring the address group

    Address groups are designed for ease of use in the administration of the device. See Address group for more information.

    To create an address group:

    1. Go to Policy & Objects > Addresses.

    2. Go to Create New > Address Group.

    3. In the Category field, select IPv6 Group.

    4. Enter a Group name for the address object.

    5. Select the + in the Members field. The Select Entries pane opens.

    6. Select members of the group. It is possible to select more than one entry. Select the x icon in the field to remove an entry.

    7. Enter any additional information in the Comments field.

    8. Click OK.

    To configure an address group in the CLI:
    config firewall addrgrp6
    edit <name>
        set member <name>
    next
end

    Configuring the firewall policy

    A firewall policy must be in place for any traffic that passes through a FortiGate. See Firewall policy for more information.

    To create a firewall policy in the GUI:

    1. Go to Policy & Objects > Firewall Policy.

    2. Enter a Name and configure the following necessary settings:

      Incoming Interface Incoming (ingress) interface
      Outgoing Interface Outgoing (egress) interface
      Source Source IPv6 address name and address group names
      Destination Destination IPv6 address name and address group names
      Schedule Schedule name
      Service Service and service group names
      Action Policy action
    To configure a firewall policy in the CLI:
    config firewall policy
    edit <policyid>
        set srcintf <name>
        set dstintf <name>
        set action {accept | deny}
        set srcaddr6 <name>
        set dstaddr6 <name>
        set schedule <name>
        set service <name>
    next
end

    See IPv6 quick start example for a sample configuration.

    Previous
    Next