IPv6 Features

IPv6 Features

In order to configure IPv6 features using the web-based manager, IPv6 must be enabled using Feature Select. Go to System > Config > Features, enable IPv6, and click Apply.

The following IPv6 features are available from the FortiOS web manager:

  • IPv6 policies
  • IPv6 Network Address Translation
  • ICMPv6
  • IPv6 in dynamic routing
  • Dual stack routing IPv6 tunnelling SIP over IPv6
  • New Fortinet FortiGate IPv6 MIB fields
  • IPv6 Per-IP traffic shaper
  • DHCPv6
  • IPv6 forwarding
  • Obtaining IPv6 addresses from an IPv6 DHCP server

 

IPv6 policies

IPv6 security policies are created both for an IPv6 network and a transitional network. A transitional network is a network that is transitioning over to IPv6 but must still have access to the Internet or must connect over an IPv4 network.

These policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks. The IPv6 options for creating these policies is hidden by default. You must enable this feature under System > Config > Features.

 

IPv6 policy route

 

IPv6 policy routing

IPv6 policy routing functions in the same was as IPv4 policy routing. To add an IPv6 policy route, go to Networ> Policy Routes and select Create New > IPv6 Policy Route.

 

Adding an IPv6 Policy route

You can also use the following command to add IPv6 policy routes:

 

config router policy6 edit 0

set input-device <interface>

set src <ipv6_ip>

set dst <ipv6_ip>

set protocol <0-255>

set gateway <ipv6_ip>

set output-device <interface>

set tos <bit_pattern>

set tos-mask <bit_mask>

end

 

IPv6 security policies

IPv6 security policies support all the features supported by IPv4 security policies:

  • Policy types and subtypes.
  • NAT support including using the destination interface IP address, fixed port, and dynamic IP pools.
  • All security features (antivirus, web filtering, application control, IPS, email filtering, DLP, VoIP, and ICAP).
  • All traffic shaping options, including: shared traffic shaping, reverse shared traffic shaping, and per-IP traffic shaping.
  • All user and device authentication options.

 

 

IPv6 explicit web proxy

You can use the explicit web proxy for IPv6 traffic. To do this you need to:

  • Enable the IPv6 explicit web proxy from the CLI.
  • Enable the explicit web proxy for one or more FortiGate interfaces. These interfaces also need IPv6 addresses.
  • Add IPv6 web proxy security policies to allow the explicit web proxy to accept IPv6 traffic.

Use the following steps to set up a FortiGate unit to accept IPv6 traffic for the explicit web proxy at the Internal interface and forward IPv6 explicit proxy traffic out the wan1 interface to the Internet.

1. Enter the following CLI command to enable the IPv6 explicit web proxy:

config web-proxy explicit set status enable

set ipv6-status enable end

2. Go to Network > Interfaces and edit the internal interface, select Enable Explicit Web Proxy and select OK.

3. Go to Policy & Objects > Explicit Proxy Policy and select Create New to add an IPv6 explicit web proxy security policy with the following settings shown.

This IPv6 explicit web proxy policy allows traffic from all IPv6 IP addresses to connect through the explicit web proxy and through the wan1 interface to any IPv6 addresses that are accessible from the wan1 interface.

If you have enabled both the IPv4 and the IPv6 explicit web proxy, you can combine IPv4 and IPv6 addresses in a single explicit web proxy policy to allow both IPv4 and IPv6 traffic through the proxy.

 

 

Restricting the IP address of the explicit IPv6 web proxy

You can use the following command to restrict access to the IPv6 explicit web proxy using only one IPv6 address. The IPv6 address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit web proxy is enabled on an interface with multiple IPv6 addresses.

For example, to require users to connect to the IPv6 address 2001:db8:0:2::30 to connect to the explicit IPv6 HTTP proxy, use the following command:

config web-proxy explicit

set incoming-ipv6 2001:db8:0:2::30 end

 

Restricting the outgoing source IP address of the IPv6 explicit web proxy

You can use the following command to restrict the source address of outgoing web proxy packets to a single IPv6 address. The IP address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit HTTP proxy is enabled on an interface with multiple IPv6 addresses.

For example, to restrict the outgoing packet source address to 2001:db8:0:2::50:

config http-proxy explicit

set outgoing-ip6 2001:db8:0:2::50 end

 

VIP64

VIP64 policies can be used to configure static NAT virtual IPv6 address for IPv4 addresses. VIP64 can be configured from the CLI using the following commands:

 

config firewall vip64 edit <zname_str>

set arp-reply {enable | disable}

set color <color_int>

set comment <comment_str>

set extip <address_ipv6>[-address_ipv6]

set extport <port_int>

set id <id_num_str>

set mappedip [<start_ipv4>-<end_ipv4>]

set mappedport <port_int>

set portforward {enable | disable}

set src-filter <addr_str>

end

 

VIP64 CLI Variables and Defaults

Variable                                      Description                                            Default

<zname_str>             Enter the name of this virtual IP address. No default.

arp-reply

{enable | disable}

Select to respond to ARP requests for this virtual IP address.

enable

 

Variable                                      Description                                            Default

color <color_int>       Enter the number of the color to use for the group icon in the web-based man- ager.

comment <comment_str>   Enter comments relevant to the con- figured virtual IP. 0

No default.

extip <address_ipv6>[- address_ipv6]

Enter the IP address or address range       ::

on the external interface that you want to map to an address or address range on the destination network.

If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to ::.

Enter the external port number that you want to map to a port number on the destination network.

This option only appears if port- forward is enabled.

extport <port_int>

If portforward is enabled and you

want to configure a static NAT virtual IP    0 that maps a range of external port num-

bers to a range of destination port num- bers, set extport to the first port number in the range. Then set mapped- port to the start and end of the des- tination port range. The FortiGate unit automatically calculates the end of the extport port number range.

 

id <id_num_str>         Enter a unique identification number for the configured virtual IP. Not checked for uniqueness. Range 0 – 65535.

No default.

 

Variable Description Default
   

Enter the IP address or IP address

 
  range on the destination network to  
  which the external IP address is  
  mapped.  
 

 

 

mappedip

 

If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP

 
[<start_ipv4>-<end_ address range, and calculates the last 0.0.0.0
ipv4>] IP address required to create an equal  
  number of external and mapped IP  
  addresses for one-to-one mapping.  

If mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-to- many mapping.

mappedport <port_int>   Enter the port number on the des-             0 tination network to which the external port number is mapped.

You can also enter a port number range to forward packets to multiple ports on the destination network.

For a static NAT virtual IP, if you add a map to port range the FortiGate unit cal- culates the external port number range.

portforward

{enable | disable}

Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport.

disable

src-filter <addr_str>   Enter a source address filter. Each address must be in the form of an IPv4 subnet (x:x:x:x:x:x:x:x/n). Separate addresses with spaces.

null

VIP46 policies can be used to configure static NAT virtual IPv4 address for IPv6 addresses. VIP46 can be configured from the CLI using the following commands (see the table below for variable details):

config firewall vip46 edit <name_str>

set arp-reply {enable | disable}

set color <color_int>

set comment <comment_str>

set extip <address_ipv4>[-address_ipv4]

set extport <port_int>

set id <id_num_str>

set mappedip [<start_ipv6>-<end_ipv6>]

set mappedport <port_int>

set portforward {enable | disable}

set src-filter <add_str>

end

 

VIP46 CLI Variables and Defaults

 

Variable Description Default
 

<name_str>

 

Enter the name of this virtual IP

 

No default.

  address.  
 

arp-reply

{enable | disable}

 

Select to respond to ARP requests for this virtual IP address.

 

enable

 

color <color_int>

 

Enter the number of the color to use for

 

0

  the group icon in the web-based man-  
  ager.  
 

comment <comment_str>

 

Enter comments relevant to the con- figured virtual IP.

 

No default.

 

extip <address_ipv4>[-

 

Enter the IP address or address range

 

0.0.0.0

address_ipv4] on the external interface that you want  
  to map to an address or address range  
  on the destination network.  
   

If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP

 
  address range, and calculates the last  
  IP address required to create an equal  
  number of external and mapped IP  
  addresses for one-to-one mapping.  
   

To configure a dynamic virtual IP that

 
  accepts connections destined for any IP  
  address, set extip to 0.0.0.0.  

Variable                                      Description                                            Default

Enter the external port number that you want to map to a port number on the destination network.

This option only appears if port- forward is enabled.

extport <port_int>

If portforward is enabled and you

want to configure a static NAT virtual IP    0 that maps a range of external port num-

bers to a range of destination port num- bers, set extport to the first port number in the range. Then set mapped- port to the start and end of the des- tination port range. The FortiGate unit automatically calculates the end of the extport port number range.
id <id_num_str>         Enter a unique identification number for the configured virtual IP. Not checked for uniqueness. Range 0 – 65535.

No default.

Enter the IP address or IP address range on the destination network to which the external IP address is mapped.

mappedip [<start_ipv6>-<end_ ipv6>]

If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address

range, and calculates the last IP                ::

address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

If mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-to- many mapping.

 

Variable                                      Description                                            Default

mappedport <port_int>   Enter the port number on the des-             0 tination network to which the external

port number is mapped.

You can also enter a port number range to forward packets to multiple ports on the destination network.

For a static NAT virtual IP, if you add a map to port range the FortiGate unit cal- culates the external port number range.

 

portforward

{enable | disable}

Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport.

disable

 

src-filter <addr_str>   Enter a source address filter. Each address must be in the form of an IPv4 subnet (x.x.x.x/n). Separate addresses with spaces.

null

 

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.