Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiSwitch 7.2.8 Administration Guide
    7.2.8
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.9
    7.0.8
    7.0.6
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.11
    6.4.6
    6.4.5
    6.4.3
    6.4.2
    6.4.0
    6.2.5
    6.2.2
    6.2.1
    6.2.0

    IPv6 router advertisement guard

    IPv6 router advertisement guard

    IPv6-enabled routers send router advertisement (RA) messages to neighboring hosts in the local network. To prevent the spoofing of the RA messages, RA guard inspects RA messages to see if they meet the criteria contained in an RA-guard policy. If the RA messages match the criteria in the policy, they are forwarded. If the RA messages do not match the criteria in the policy, they are dropped.

    The IPv6 RA-guard policy checks for the following criteria in each RA message:

    • Whether it has been flagged with the M (managed address configuration) flag or O (other configuration) flag
    • Whether the hop number is equal or more than the minimum hop limit
    • Whether the hop number is equal or less than the maximum hop limit
    • Whether the default router preference is set to high, medium, or low
    • Whether the source IPv6 address matches an allowed address in an IPv6 access list (created with the config router access-list6 command)
    • Whether the IPv6 address prefix matches an allowed prefix in an IPv6 prefix list (created with the config router prefix-list6 command)
    • Whether the device is a host or a router. If the device is a host, all RA messages are dropped. If the device is a router, the other criteria in the policy are checked.

    To see which models support this feature, refer to the FortiSwitch feature matrix.

    Configuring IPv6 RA guard consists of the following steps:

    1. (Optional) Creating an IPv6 access list
    2. (Optional) Creating an IPv6 prefix list
    3. Creating an IPv6 RA-guard policy
    4. Applying the IPv6 RA-guard policy
    5. (Optional) Viewing available IPv6 RA-guard policies

    Creating an IPv6 access list

    Create an IPv6 access list if you want to specify which source IPv6 address are allowed in RA messages. When no rule in the IPv6 access list is matched, the RA messages are dropped.

    To create an IPv6 access list:

    config router access-list6

    edit <name_of_IPv6_access_list>

    set comments <string>

    config rule

    edit <rule_ID>

    set action {deny | permit}

    set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

    set exact-match {enable | disable}

    next

    end

    end

    For example:

    config router access-list6

    edit accesslist1

    set comments "IPv6 access list"

    config rule

    edit 1

    set action permit

    set prefix6 fe80::a5b:eff:fef1:95e5

    set exact-match disable

    next

    end

    end

    Creating an IPv6 prefix list

    Create an IPv6 prefix list if you want to specify which IPv6 prefixes in the RA option type 3 are allowed in RA messages. When no rule in the IPv6 prefix list is matched, the RA messages are dropped.

    To create an IPv6 prefix list:

    config router prefix-list6

    edit <name_of_IPv6_prefix_list>

    set comments <string>

    config rule

    edit <rule_ID>

    set action {deny | permit}

    set prefix6 {<IPv6_prefix> | any}

    set ge <0-128>

    set le <0-128>

    next

    end

    end

    For example:

    config router prefix-list6

    edit prefixlist1

    set comments "IPv6 prefix list"

    config rule

    edit 1

    set action permit

    set prefix6 any

    set ge 50

    set le 50

    next

    end

    end

    Creating an IPv6 RA-guard policy

    In the IPv6 RA-guard policy, you specify the criteria that RA messages must match before the RA messages are forwarded.

    To create an IPv6 RA-guard policy:

    config switch raguard-policy

    edit <RA-guard policy name>

    set device-role {host | router}

    set managed-flag {Off | On}

    set other-flag {Off | On}

    set max-hop-limit <0-255>

    set min-hop-limit <0-255>

    set max-router-preference {high | medium | low}

    set match-src-addr <name_of_IPv6_access_list>

    set match-prefix <name_of_IPv6_prefix_list>

    next

    end

    For example:

    config switch raguard-policy

    edit RApolicy1

    set device-role router

    set managed-flag On

    set other-flag On

    set max-hop-limit 100

    set min-hop-limit 5

    set max-router-preference medium

    set match-src-addr accesslist1

    set match-prefix prefixlist1

    next

    end

    Applying the IPv6 RA-guard policy

    After you create an IPv6 RA-guard policy, you need to apply it to the appropriate switch ports or trunks and VLANs. You can create and apply different policies to different VLANs.

    To apply the IPv6 RA-guard policy:

    config switch interface

    edit <interface_name>

    config raguard

    edit <ID>

    set raguard-policy <name_of_RA_guard_policy>

    set vlan-list <list_of_VLANs>

    next

    end

    end

    For example:

    config switch interface

    edit <interface_name>

    config raguard

    edit 1

    set raguard-policy RApolicy1

    set vlan-list 1

    next

    edit 2

    set raguard-policy RApolicy2

    set vlan-list 2-5

    next

    end

    end

    Viewing available IPv6 RA-guard policies

    Use the following command to list the available IPv6 RA-guard policies:

    get switch raguard-policy

    For example:

    S524DF4K15000024 # get switch raguard-policy

    == [ RApolicy1 ]

    name: RApolicy1

    Previous
    Next

    IPv6 router advertisement guard

    IPv6 router advertisement guard

    IPv6-enabled routers send router advertisement (RA) messages to neighboring hosts in the local network. To prevent the spoofing of the RA messages, RA guard inspects RA messages to see if they meet the criteria contained in an RA-guard policy. If the RA messages match the criteria in the policy, they are forwarded. If the RA messages do not match the criteria in the policy, they are dropped.

    The IPv6 RA-guard policy checks for the following criteria in each RA message:

    • Whether it has been flagged with the M (managed address configuration) flag or O (other configuration) flag
    • Whether the hop number is equal or more than the minimum hop limit
    • Whether the hop number is equal or less than the maximum hop limit
    • Whether the default router preference is set to high, medium, or low
    • Whether the source IPv6 address matches an allowed address in an IPv6 access list (created with the config router access-list6 command)
    • Whether the IPv6 address prefix matches an allowed prefix in an IPv6 prefix list (created with the config router prefix-list6 command)
    • Whether the device is a host or a router. If the device is a host, all RA messages are dropped. If the device is a router, the other criteria in the policy are checked.

    To see which models support this feature, refer to the FortiSwitch feature matrix.

    Configuring IPv6 RA guard consists of the following steps:

    1. (Optional) Creating an IPv6 access list
    2. (Optional) Creating an IPv6 prefix list
    3. Creating an IPv6 RA-guard policy
    4. Applying the IPv6 RA-guard policy
    5. (Optional) Viewing available IPv6 RA-guard policies

    Creating an IPv6 access list

    Create an IPv6 access list if you want to specify which source IPv6 address are allowed in RA messages. When no rule in the IPv6 access list is matched, the RA messages are dropped.

    To create an IPv6 access list:

    config router access-list6

    edit <name_of_IPv6_access_list>

    set comments <string>

    config rule

    edit <rule_ID>

    set action {deny | permit}

    set prefix6 {<xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx> | any}

    set exact-match {enable | disable}

    next

    end

    end

    For example:

    config router access-list6

    edit accesslist1

    set comments "IPv6 access list"

    config rule

    edit 1

    set action permit

    set prefix6 fe80::a5b:eff:fef1:95e5

    set exact-match disable

    next

    end

    end

    Creating an IPv6 prefix list

    Create an IPv6 prefix list if you want to specify which IPv6 prefixes in the RA option type 3 are allowed in RA messages. When no rule in the IPv6 prefix list is matched, the RA messages are dropped.

    To create an IPv6 prefix list:

    config router prefix-list6

    edit <name_of_IPv6_prefix_list>

    set comments <string>

    config rule

    edit <rule_ID>

    set action {deny | permit}

    set prefix6 {<IPv6_prefix> | any}

    set ge <0-128>

    set le <0-128>

    next

    end

    end

    For example:

    config router prefix-list6

    edit prefixlist1

    set comments "IPv6 prefix list"

    config rule

    edit 1

    set action permit

    set prefix6 any

    set ge 50

    set le 50

    next

    end

    end

    Creating an IPv6 RA-guard policy

    In the IPv6 RA-guard policy, you specify the criteria that RA messages must match before the RA messages are forwarded.

    To create an IPv6 RA-guard policy:

    config switch raguard-policy

    edit <RA-guard policy name>

    set device-role {host | router}

    set managed-flag {Off | On}

    set other-flag {Off | On}

    set max-hop-limit <0-255>

    set min-hop-limit <0-255>

    set max-router-preference {high | medium | low}

    set match-src-addr <name_of_IPv6_access_list>

    set match-prefix <name_of_IPv6_prefix_list>

    next

    end

    For example:

    config switch raguard-policy

    edit RApolicy1

    set device-role router

    set managed-flag On

    set other-flag On

    set max-hop-limit 100

    set min-hop-limit 5

    set max-router-preference medium

    set match-src-addr accesslist1

    set match-prefix prefixlist1

    next

    end

    Applying the IPv6 RA-guard policy

    After you create an IPv6 RA-guard policy, you need to apply it to the appropriate switch ports or trunks and VLANs. You can create and apply different policies to different VLANs.

    To apply the IPv6 RA-guard policy:

    config switch interface

    edit <interface_name>

    config raguard

    edit <ID>

    set raguard-policy <name_of_RA_guard_policy>

    set vlan-list <list_of_VLANs>

    next

    end

    end

    For example:

    config switch interface

    edit <interface_name>

    config raguard

    edit 1

    set raguard-policy RApolicy1

    set vlan-list 1

    next

    edit 2

    set raguard-policy RApolicy2

    set vlan-list 2-5

    next

    end

    end

    Viewing available IPv6 RA-guard policies

    Use the following command to list the available IPv6 RA-guard policies:

    get switch raguard-policy

    For example:

    S524DF4K15000024 # get switch raguard-policy

    == [ RApolicy1 ]

    name: RApolicy1

    Previous
    Next