Category Archives: FortiOS 6

BGP and IPv6

BGP and IPv6

FortiGate units support IPv6 over BGP using the same config router bgp command as IPv4, but different subcommands.

The main CLI keywords have IPv6 equivalents that are identified by the “6” on the end of the keyword, such as with config network6 or set allowas-in6.

IPv6 BGP commands include:

config router bgp set activate6 {enable | disable} set allowas-in6 <max_num_AS_integer> set allowas-in-enable6 {enable | disable} set as-override6 {enable | disable} set attribute-unchanged6 [as-path] [med] [next-hop] set capability-default-originate6 {enable | disable} set capability-graceful-restart6 {enable | disable} set default-originate-route-map6 <routemap_str> set distribute-list-in6 <access-list-name_str> set distribute-list-out6 <access-list-name_str> set filter-list-in6 <aspath-list-name_str> set filter-list-out6 <aspath-list-name_str> set maximum-prefix6 <prefix_integer> set maximum-prefix-threshold6 <percentage_integer> set maximum-prefix-warning-only6 {enable | disable} set next-hop-self6 {enable | disable} set prefix-list-in6 <prefix-list-name_str> set prefix-list-out6 <prefix-list-name_str> set remove-private-as6 {enable | disable} set route-map-in6 <routemap-name_str> set route-map-out6 <routemap-name_str> set route-reflector-client6 {enable | disable} set route-server-client6 {enable | disable} set send-community6 {both | disable | extended | standard}

set soft-reconfiguration6 {enable | disable} set unsuppress-map6 <route-map-name_str> config network6 config redistribute6

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 IPsec VPN

IPv6 IPsec VPN

This chapter describes how to configure your FortiGate unit’s IPv6 IPsec VPN functionality.

l Overview of IPv6 IPsec support l Configuring IPv6 IPsec VPNs l Site-to-site IPv6 over IPv6 VPN example l Site-to-site IPv4 over IPv6 VPN example l Site-to-site IPv6 over IPv4 VPN example

Overview of IPv6 IPsec support

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support.

Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can also combine IPv6 and IPv4 addressing in an auto-keyed VPN in the following ways:

IPv4 over IPv6 The VPN gateways have IPv6 addresses.

The protected networks have IPv4 addresses. The phase 2 configurations at either end use IPv4 selectors.

IPv6 over IPv4 The VPN gateways have IPv4 addresses.

The protected networks use IPv6 addresses. The phase 2 configurations at either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:

l Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported. l Selectors cannot be firewall address names. Only IP address, address range and subnet are supported. l Redundant IPv6 tunnels are not supported.

Certificates

On a VPN with IPv6 phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.

Configuring IPv6 IPsec VPNs

Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 route-based VPN: phase 1 settings, phase 2 settings, security policies, and routing.

Phase 1 configuration

In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings. Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote gateway.

In the CLI, you define an IPsec phase 1 configuration as IPv6 by setting ip-version to 6. Its default value is 4. Then, the local-gw and remote-gw keywords are hidden and the corresponding local-gw6 and remotegw6 keywords are available. The values for local-gw6 and remote-gw6 must be IPv6 addresses. For example:

config vpn ipsec phase1-interface edit tunnel6 set ip-version 6

set remote-gw6 0:123:4567::1234 set interface port3 set proposal 3des-md5

end

Phase 2 configuration

To create an IPv6 IPsec phase 2 configuration in the web-based manager, you need to define IPv6 selectors in the Advanced settings. Change the default “0.0.0.0/0” address for Source address and Destination address to the IPv6 value “::/0”. If needed, enter specific IPv6 addresses, address ranges or subnet addresses in these fields.

In the CLI, set src-addr-type and dst-addr-type to ip6, range6 or subnet6 to specify IPv6 selectors. By default, zero selectors are entered, “::/0” for the subnet6 address type, for example. The simplest IPv6 phase 2 configuration looks like this:

config vpn ipsec phase2-interface edit tunnel6_p2 set phase1name tunnel6 set proposal 3des-md5 set src-addr-type subnet6 set dst-addr-type subnet6

end

Security policies

To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6.

Routing

Appropriate routing is needed for both the IPsec packets and the encapsulated traffic within them. You need a route, which could be the default route, to the remote VPN gateway via the appropriate interface. You also need a route to the remote protected network via the IPsec interface.

To create a static route – web-based manager:

  1. Go to Network > Static Routes.
  2. Select the drop-down arrow on the Create New button and select IPv6 Route.
  3. Enter the information and select OK.

To create a static route – CLI:

  1. In the CLI, use the router static6 command. For example, where the remote network is fec0:0000:0000:0004::/64 and the IPsec interface is toB:

config router static6 edit 1 set device port2 set dst 0::/0

next edit 2 set device toB

set dst fec0:0000:0000:0004::/64

next

end

If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If the VPN is IPv6 over IPv4, the route to the remote VPN gateway is an IPv4 route.

Site-to-site IPv6 over IPv6 VPN example

In this example, computers on IPv6-addressed private networks communicate securely over public IPv6 infrastructure.

Example IPv6-over-IPv6 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the public network and port 3 connects to the local network.

config system interface edit port2 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f2/64

end

next edit port3 config ipv6 set ip6-address fec0::0000:209:0fff:fe83:25f3/64

end

next

end

Configure FortiGate A IPsec settings

The phase 1 configuration creates a virtual IPsec interface on port 2 and sets the remote gateway to the public IP address FortiGate B. This configuration is the same as for an IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6 keyword is used to specify an IPv6 remote gateway address.

config vpn ipsec phase1-interface edit toB set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd enable set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

By default, phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. The address all6 must be defined using the firewall address6 command as ::/0.

config firewall policy6 edit 1 set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB. A default route sends all IPv6 traffic out on port2.

config router static6 edit 1 set device port2 set dst 0::/0

next edit 2 set device toB

set dst fec0:0000:0000:0004::/64 end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. Security policies enable traffic to pass between the private network and the IPsec interface. Routing ensures traffic for the private network behind FortiGate A goes through the VPN and that all IPv6 packets are routed to the public network.

config system interface edit port2 config ipv6 set ip6-address fec0::0003:209:0fff:fe83:25c7/64

end

next edit port3 config ipv6 set ip6-address fec0::0004:209:0fff:fe83:2569/64

end

end

config vpn ipsec phase1-interface edit toA set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd enable set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2 set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1 set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toA

set dst fec0:0000:0000:0000::/64

end

Site-to-site IPv4 over IPv6 VPN example

In this example, two private networks with IPv4 addressing communicate securely over IPv6 infrastructure.

Example IPv4-over-IPv6 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the IPv6 public network and port 3 connects to the IPv4 LAN.

config system interface edit port2 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f2/64

end

next edit port3 set 192.168.2.1/24 end

Configure FortiGate A IPsec settings

The phase 1 configuration is the same as in the IPv6 over IPv6 example.

config vpn ipsec phase1-interface edit toB set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd enable set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

The phase 2 configuration is the same as you would use for an IPv4 VPN. By default, phase 2 selectors are set to accept all subnet addresses for source and destination.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable

end

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. These are IPv4 security policies.

config firewall policy edit 1 set srcintf port3 set dstintf toB set srcaddr all set dstaddr all set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY set schedule always

end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv4 static route. A default route sends all IPv6 traffic, including the IPv6 IPsec packets, out on port2.

config router static6 edit 1 set device port2

set dst 0::/0

next edit 2 set device toB set dst 192.168.3.0/24

end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. The IPsec phase 2 configuration has IPv4 selectors.

IPv4 security policies enable traffic to pass between the private network and the IPsec interface. An IPv4 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv6 static route ensures that all IPv6 packets are routed to the public network.

config system interface edit port2 config ipv6 set ip6-address fec0::0003:fe83:25c7/64

end

next edit port3 set 192.168.3.1/24

end

config vpn ipsec phase1-interface edit toA set ip-version 6 set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd enable set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2 set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable

end

config firewall policy edit 1 set srcintf port3 set dstintf toA set srcaddr all set dstaddr all set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all set dstaddr all

set action accept set service ANY set schedule always

end

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toA set dst 192.168.2.0/24

end

Site-to-site IPv6 over IPv4 VPN example

In this example, IPv6-addressed private networks communicate securely over IPv4 public infrastructure.

Example IPv6-over-IPv4 VPN topology

Configure FortiGate A interfaces

Port 2 connects to the IPv4 public network and port 3 connects to the IPv6 LAN.

config system interface edit port2 set 10.0.0.1/24

next edit port3 config ipv6 set ip6-address fec0::0001:209:0fff:fe83:25f3/64

end

Configure FortiGate A IPsec settings

The phase 1 configuration uses IPv4 addressing.

config vpn ipsec phase1-interface edit toB set interface port2 set remote-gw 10.0.1.1 set dpd enable set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

The phase 2 configuration uses IPv6 selectors. By default, phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

config vpn ipsec phase2-interface edit toB2 set phase1name toB set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

Configure FortiGate A security policies

IPv6 security policies are required to allow traffic between port3 and the IPsec interface toB in each direction.

Define the address all6 using the firewall address6 command as ::/0.

config firewall policy6 edit 1 set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always end

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv6 static route. A default route sends all IPv4 traffic, including the IPv4 IPsec packets, out on port2.

config router static6 edit 1 set device toB

set dst fec0:0000:0000:0004::/64

end

config router static edit 1 set device port2 set dst 0.0.0.0/0 set gateway 10.0.0.254 end

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the IPv4 public IP address of FortiGate A. The IPsec phase 2 configuration has IPv6 selectors.

IPv6 security policies enable traffic to pass between the private network and the IPsec interface. An IPv6 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv4 static route ensures that all IPv4 packets are routed to the public network.

config system interface edit port2 set 10.0.1.1/24

next edit port3 config ipv6 set ip6-address fec0::0004:209:0fff:fe83:2569/64

end

config vpn ipsec phase1-interface edit toA set interface port2 set remote-gw 10.0.0.1 set dpd enable set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2 set phase1name toA set proposal 3des-md5 3des-sha1 set pfs enable set replay enable set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1 set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

next edit 2 set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY set schedule always

end

config router static6 edit 1 set device toA

set dst fec0:0000:0000:0000::/64

end

config router static edit 1 set device port2 set gateway 10.0.1.254

end

TCP MSS values

TCP MSS values, which control the maximum amount of data that can be sent in a single packet, can be set for IPv6 policies (for both the sender and the receiver). You can configure TCP MSS values in IPv6 using the following CLI commands:

config firewall policy6 edit <index_int> set tcp-mss-sender <value> set tcp-mss-receiver <value>

end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

ICMPv6

ICMPv6

The IT Manager is doing some diagnostics and would like to temporarily block the successful replies of ICMP Node information Responses between 2 IPv6 networks.

The ICMP type for ICMP Node information responses is 140. The codes for a successful response is 0.

To configure ICMPv6 – web-based manager:

  1. Go to Policy & Objects > Services and select Create New > Service. 2. Fill out the fields with the following information
Name diagnostic-test1
Service Type Firewall
Show in Service List Enabled
Category Uncategorized
Protocol Type ICMP6
Type 140
  1. Select
  2. Enter the following CLI command:

config firewall service custom edit diagnostic-test1 set protocol ICMP6 set icmptype 140 set icmpcode 0 set visibility enable

end

To verify that the category was added correctly:

  1. Go to Policy & Objects > Services. Check that the services have been added to the services list and that they are correct.
  2. Enter the following CLI command:

config firewall service custom edit <the name of the service that you wish to verify> show full-configuration


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 SSH

IPv6 SSH

FortiGate supports SSH traffic through IPv6. When the proxy option is set to ssh in a proxy policy, IPv6 source and destination address options become available and SSH profiles can be assigned to IPv6 firewall policies.

Syntax in IPv6 firewall policy

config firewall policy6 edit 1 set utm-status enable set ssh-filter-profile <example> end

Syntax in proxy policy

config firewall proxy-policy edit 1 set proxy ssh set srcaddr6 “all” set dstaddr6 “all” end

Logging

When a proxy policy is being used, SSH traffic logs are generated by wad instead of the kernel.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 configuration

IPv6 configuration

This section contains configuration information for IPv6 on FortiOS. Attempts are made to include scenarios in each section to better assist with the configuration and to orient the information toward a particular task.

You will find information on the following:

IPv6 address groups

To create IPv6 address groups from existing IPv6 addresses – web-based manager

Your company has 3 internal servers with IPv6 addresses that it would like to group together for the purposes of a number of policies.

  1. Go to Policy & Objects > Addresses and select Create New > Address Group.
  2. Select IPv6 Group, and fill out the fields with the following information:
Group Name Web_Server_Cluster
Members Web_Server-1

Web_Server-2

Web_Server-3

  1. Select

To create IPv6 address groups from existing IPv6 addresses – CLI

config firewall addrgrp6 edit Web_Server_Cluster set member Web_Server-1 Web_Server-2 Web_Server-3 end

To verify that the addresses were added correctly

  1. Go to Policy & Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. From the CLI, enter the following commands: config firewall addgrp6 edit <the name of the address that you wish to verify> Show full-configuration

IPv6 address ranges

You can configure IPv6 address ranges in both the GUI and the CLI.

To configure IPv6 address ranges – web-based manager:

  1. Go to Policy & Objects > Addresses.
  2. Set the Type to IP Range and enter the IPv6 addresses as shown:

To configure IPv6 address ranges – CLI:

config firewall address6 edit ipv6range set type iprange set start-ip 2001:db8:0:2::30 set end-ip 2001:db8:0:2::31

end

IPv6 firewall addresses

Scenario: Mail server

You need to create an IPv6 address for the Mail Server on Port1 of your internal network. This server is on the network off of port1.

l The IP address is 2001:db8:0:2::20/128 l There should be a tag for this address being for a server.

Configuring the Example using the GUI
  1. Go to Policy & Objects > Objects > Addresses and select Create New > Address.
  2. Select IPv6 Address and fill out the fields with the following information
Name Mail_Server
Type Subnet
IPv6 Address 2001:db8:0:2::20/128
  1. Select
Configuring the Example using the CLI

Enter the following CLI command:

config firewall address6 edit Mail_Server set type ipprefix set subnet 2001:db8:0:2::20/128

end

Scenario: First floor network

You need to create an IPv6 address for the subnet of the internal network off of Port1. These computers connect to port1. The network uses the IPv6 addresses: fdde:5a7d:f40b:2e9d:xxxx:xxxx:xxxx:xxxx There should be a reference to this being the network for the 1st floor of the building.

  1. Go to Policy & Objects > Objects > Addresses
  2. Select Create New > Address.Select IPv6 Address and fill out the fields with the following information:
Name Internal_Subnet_1
Type Subnet / IP Range
IPv6 Address 2001:db8:0:2::/64
Comments Network for 1st Floor
  1. Select
  2. Enter the following CLI command:

config firewall address6 edit Internal_Subnet_1 set comment “Network for 1st Floor” set type ipprefix set subnet 2001:db8:0:2::/64 end

Scenario: Accounting team

You need to create an IPv6 address for the Accounting Team that’s on the 1st Floor. These users are off of various ports of the FortiGate, but they have all been assigned addresses between 2001:db8:0:2::2000 and 2001:db8:0:2::a000

Configuring the example using the GUI
  1. Go to Policy & Objects > Objects > Addresses and select Create New > Address. 2. Select IPv6 Address and fill out the fields with the following information
Name Accounting_Team
Type IP Range
Subnet / IP Range 2001:db8:0:2::2000-2001:db8:0:2::a000
  1. Select OK.
Configuring the Example using the CLI

Enter the following CLI command:

config firewall address6 edit Accounting_Team set type iprange set visibility enable set start-ip 2001:db8:0:2::2000 set end-ip 2001:db8:0:2::a000 end

To verify that the addresses were added correctly:

  1. Go to Policy & Objects > Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. Enter the following CLI command:

config firewall address6 edit <the name of the address that you wish to verify> Show full-configuration


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 Neighbor Discovery Proxy

IPv6 Neighbor Discovery Proxy

This feature provides support for proxying the IPv6 Neighbor Discovery (ND) protocol to allow the forwarding of the following ICMP messages between upstream and downstream interfaces:

l Router Advertisement (RA) l Neighbor Solicitation (NS) l Neighbor Advertisement (NA) l Router Solicitation (RS) l Redirect

The Neighbor Discovery (ND) protocol is used to discover the Link Layer address of IPv6 destinations. In IPv4, this is achieved by using ARP.

Configure ND Proxy in the CLI using the following syntax:

config system nd-proxy set status {enable|disable}

set member <interface> <interface> [<interface>…] end

Option Description
status Enable/disable the use of neighbor discovery proxy
member List of interfaces using the neighbor discovery proxy

 

An example of a configuration can be found in the IPv6 Configuration section under IPv6 Neighbor Discovery Proxy on page 164


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FSSO over IPv6

FSSO

FortiGate FSSO supports connecting to an FSSO agent over IPv6 and collecting and sending IPv6 details about endpoints. This is all enforced the same way as IPv4 FSSO traffic.

CLI

config user fsso edit <fsso agent name> set source-ip6 <IPv6 address for source> end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 Tunneling Authentication Support

Authentication support

RADIUS

FortiOS’s supports IPv6 RADIUS authentication. When configuring the FortiGate interface and the RADIUS server (under config system interface and config user radius respectively), the server IP address can be set as IPv6.

Captive portal

Captive portal supports IPv6. It works with remote RADIUS authentication and WiFi interfaces.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!