Blocking IPv6 packets by extension headers

Blocking IPv6 packets by extension headers

FortiOS can now block IPv6 packets based on the extension headers, using the CLI syntax: config firewall ipv6-eh-filter.

The following commands are now available:

  • set hop-opt {disable | enable}: Block packets with Hop-by-Hop Options header. l set dest-opt {disable | enable}: Block packets with Destination Options header.
  • set hdopt-type <integer>: Block specific Hop-by-Hop and/or Destination Option types (maximum 7 types, each between 0 and 255). l set routing {disable | enable}: Block packets with Routing header.
  • set routing-type <integar>: Block specific Routing header types (maximum 7 types, each between 0 and 255).
  • set fragment {disable | enable}: Block packets with Fragment header. l set auth {disable | enable}: Block packets with Authentication header. l set no-next {disable | enable}: Block packets with No Next header.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos