When creating an IPv6 address there are a number of different types of addresses that can be specified. These include:
l Subnet l IP Range – the details of this type of address are the same as the IPv4 version of this type l IPv6 FQDN firewall addresses – similar to the IPv4 version.
The IPv6 addresses don’t yet have the versatility of the IPv4 address in that they don’t have things like geography based addresses, but as IPv6 becomes more mainstream this should change.
The Subnet Address type is one that is only used in reference to IPv6 addresses.It represents an IPv6 address subnet. This means that the address will likely be a series of hexadecimal characters followed by a double colon, followed by a “/”, and then a number less than 128 to indicate the size of the subnet. An example would be:
- The hexidecimal characters represent the IPv6 subnet address.
- The “::” indicates 0’s from that point to the left. In an actual address for a computer, the hexadecimal characters that would take the place of these zeros would represent the device address on the subnet.
- /xx, in this case /64 represents the number of bits in the subnet.This will make a range that can potentially include
18,446,744,073,709,551,616 addresses. For those wanting to use English rather than math, that is 18 Quintillion.
Creating a subnet address
- Go to Policy & Objects > Addresses.
- Select Create New. A drop down menu is displayed. Select Address
- In the Category field, chose IPv6 Address.
- Input a Name for the address object.
- In the Type field, select Subnet from the drop down menu.
- In the Subnet / IP Range field, enter the range of addresses in IPv6 format (no spaces)
- Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
- Input any additional information in the Comments
Example of a IP Range address for a group of computers set aside for guests on the company network.
|Subnet / IP Range||fd5e:3c59:35ce:f67e::/64|
|Show in Address List||[on]|
IPv6 FQDN firewall addresses
FQDN firewall addresses can be configured for IPv6.
Syntax in CLI
config firewall address6 edit <address_name> set type fqdn set fqdn <domain_name>
set cache-ttl <integer value from 0 to 86400> end
Firewall IPv6 address templates
You can use the IPv6 address templates to create new IPv6 addresses that share a prefix. Using templates for addresses reduces the chance of configuring an incorrect address due to a typographical error.
l A standard IPv6 address can be divided into three parts:
[IPv6 network prefix] + [subnet segments] + [host address] l The subnet segments can be split into multiple 4-bit blocks called nibbles l Each subnet segments represent different geographical or organizational parts of the network. They are represented by 1 or more nibbles.
Example of a prefix:
The highlighted characters
|Prefix (48 bits)|
The highlighted characters (zeros)
|Place holder for the subnet segments (16 bits)|
The highlighted characters
The 16 bits that make up the subnet segments can be more granular.
Example: 0011 1111 0000 1101
The resulting network portion of the address is:
By changing the mask, the subnet segment could be increased.
This makes more options available for the configuration of the subnet segments. Below is an example of a very basic template:
Using that template, you can see how the GUI could be used to quickly create address objects.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos
Leave a Reply