New Fortinet FortiGate IPv6 MIB fields

New Fortinet FortiGate IPv6 MIB fields

The following IPv6 MIB fields have been added to the Fortinet FortiGate MIB. These MIB entries can be used to display IPv6 session and policy statistics.

 

  • IPv6 Session Counters: fgSysSes6Count fgSysSes6Rate1 fgSysSes6Rate10 fgSysSes6Rate30 fgSysSes6Rate60
  • IPv6 Policy Statistics: fgFwPol6StatsTable fgFwPol6StatsEntry FgFwPol6StatsEntry fgFwPol6ID fgFwPol6PktCount fgFwPol6ByteCount
  • IPv6 Session Statistics: fgIp6SessStatsTable fgIp6SessStatsEntry FgIp6SessStatsEntry fgIp6SessNumber

The fgSysSesCount and fgSysSesRateX MIBs report statistics for IPv4 plus IPv6 sessions combined. This behavior was not changed.

 

New OIDs

The following OIDs have been added: FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgSystem.fgSystemInfo

.fgSysSes6Count 1.3.6.1.4.1.12356.101.4.1.15
.fgSysSesRate1 1.3.6.1.4.1.12356.101.4.1.16
.fgSysSesRate10 1.3.6.1.4.1.12356.101.4.1.17
.fgSysSesRate30 1.3.6.1.4.1.12356.101.4.1.18
.fgSysSesRate60 1.3.6.1.4.1.12356.101.4.1.19

 

FORTINET-FORTIGATE-MIB:

fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ID  1.3.6.1.4.1.12356.101.5.1.2.2.1.1.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6PktCount  1.3.6.1.4.1.12356.101.5.1.2.2.1.2.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ByteCount  1.3.6.1.4.1.12356.101.5.1.2.2.1.3

 

FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgInetProto.fgInetProtoTables.fgIp6SessStatsTable.fgIp6SessStatsEntry.fgIp6SessNumber 1.3.6.1.4.1.12356.101.11.2.3.1.1

 

EXAMPLE SNMP get/walk output

// Session6 stats excerpt from sysinfo: snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.4

FORTINET-FORTIGATE-MIB::fgSysSes6Count.0 = Gauge32: 203

FORTINET-FORTIGATE-MIB::fgSysSes6Rate1.0 = Gauge32: 10 Sessions Per Second

FORTINET-FORTIGATE-MIB::fgSysSes6Rate10.0 = Gauge32: 2 Sessions Per Second
FORTINET-FORTIGATE-MIB::fgSysSes6Rate30.0 = Gauge32: 1 Sessions Per Second
FORTINET-FORTIGATE-MIB::fgSysSes6Rate60.0 = Gauge32: 0 Sessions Per Second

 

// FwPolicy6 table:

snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.5.1.2.2

FORTINET-FORTIGATE-MIB::fgFwPol6ID.1.3 = INTEGER: 3

FORTINET-FORTIGATE-MIB::fgFwPol6ID.1.4 = INTEGER: 4

FORTINET-FORTIGATE-MIB::fgFwPol6PktCount.1.3 = Counter64: 4329

FORTINET-FORTIGATE-MIB::fgFwPol6PktCount.1.4 = Counter64: 0

FORTINET-FORTIGATE-MIB::fgFwPol6ByteCount.1.3 = Counter64: 317776

FORTINET-FORTIGATE-MIB::fgFwPol6ByteCount.1.4 = Counter64: 0

 

// IP6SessNumber:

snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.11.2.3.1

FORTINET-FORTIGATE-MIB::fgIp6SessNumber.1 = Counter32: 89

 

 

IPv6 Per-IP traffic shaper

You can add any Per-IP traffic shaper to an IPv6 security policy using the following command:

config firewall policy6 edit 0

set per-ip-shaper “new-perip-shaper” end

 

DHCPv6

You can use DHCP with IPv6 using the CLI. To configure DHCP, ensure IPv6 is enabled by going to Syste> Feature Select and enabling IPv6. Use the CLI command

config system dhcp6

 

For more information on the configuration options, see the FortiGate CLI Reference.

 

DHCP delegated mode

Downstream IPv6 interfaces can receive address assignments on delegated subnets from a DHCP server that serves an upstream interface.

 

DHCPv6-PD configuration

Enable DHCPv6 Prefix Delegation on upstream interface (port10):

 

config system interface edit “port10”

config ipv6

set dhcp6-prefix-delegation enable end

end

 

Assign delegated prefix on downstream interface (port1). Optionally, specific delegated prefixes can be specified:

 

config system interface edit “port1”

config ipv6

set ip6-mode delegated

set ip6-upstream-interface “port10” set ip6-subnet ::1:0:0:0:1/64

set ip6-send-adv enable

config ipv6-delegated-prefix-list edit 1

set upstream-interface “port10” set autonomous-flag enable

set onlink-flag enable

set subnet 0:0:0:100::/64 end

end end

 

 

DHCPv6 Server configuration

Configuring a server that uses delegated prefix and DNS from upstream:

 

config system dhcp6 server edit 1

set dns-service delegated

set interface “wan2”

set upstream-interface “wan1” set ip-mode delegated

set subnet 0:0:0:102::/64 end

 

DHCPv6 relay

You can use the following command to configure a FortiGate interface to relay DHCPv6 queries and responses from one network to a network with a DHCPv6 server and back. The command enables DHCPv6 relay and includes adding the IPv6 address of the DHCP server that the FortiGate unit relays DHCPv6 requests to:

 

config system interface edit internal

config ipv6

set dhcp6-relay-service enable set dhcp6-relay-type regular

set dhcp6-relay-ip 2001:db8:0:2::30 end

 

IPv6 forwarding

 

Policies, IPS, Application Control, flow-based antivirus, web filtering, and DLP

FortiOS fully supports flow-based inspection of IPv6 traffic. This includes full support for IPS, application control, virus scanning, and web filtering.

To add flow-based inspection to IPv6 traffic go to Policy & Objects > IPv6 Policy and select Create New to add an IPv6 Security Policy. Configure the policy to accept the traffic to be scanned. Under Security Profiles, select the profiles to apply to the traffic.

 

Obtaining IPv6 addresses from an IPv6 DHCP server

From the CLI, you can configure any FortiGate interface to get an IPv6 address from an IPv6 DHCP server. For example, to configure the wan2 interface to get an IPv6 address from an IPv6 DHCP server enter the following command:

config system interface edit wan2

config ipv6

set ip6-mode dhcp end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in FortiOS 5.4 Handbook and tagged on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.