Category Archives: FortiOS

Packet flow: FortiGates with NP6 processors first packet of a new session

Packet flow: FortiGates with NP6 processors first packet of a new session

On a FortiGate with NP6 processors the first packet in a new session is handled the same way as on a FortiGate with no NP6 processors. Except that some processes, such as DoS, ACL, IP integrity checking, and IPsec VPN decryption are accelerated by the NP6 processor.

packet-flow-overview-np6

Network processors (NP6)

FortiASIC network processors work at the interface level to accelerate traffic by offloading sessions from the main CPU. Current FortiGate models contain NP6 network processors. Older FortiGate models include NP4 and older network processors.

NP6 processors can offload most IPv4 and IPv6 traffic, IPsec VPN encryption, CAPWAP traffic, and multicast traffic. The NP6 has a capacity of 40 Gbps through 4 x 10 Gbps interfaces or 3 x 10 Gbps and 16 x 1 Gbps interfaces.

Sessions that require proxy-based UTM/NGFW (including proxy-based virus scanning, web filtering, and so on) are not fast pathed and must be processed by the CPU.

Sessions that require flow-based UTM/NGFW (including IPS, application control, flow-based virus scanning and so on) can be offloaded to NP4 or NP6 network processors if the FortiGate supports NTurbo.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

UTM/NGFW

UTM/NGFW

If the policy matching the packet includes security profiles, then the packet is subject to Unified Threat Management (UTM)/Next Generation Firewall (NGFW) processing. UTM/NGFW processing depends on the inspection mode of the FortiGate: Flow-based (single pass architecture) or proxy-based. Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors.

Single pass flow-based UTM/NGFW inspection identifies and blocks security threats in real time as they are identified by sampling packets in a session and using single-pass Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats.

Proxy-based UTM/NGFW inspection can apply both flow-based and proxy-based inspection. Packets initially encounter the IPS engine, which can apply single-pass flow-based IPS, Application Control and CASI (as configured). The packets are then sent to the proxy for proxy-based inspection. Proxy-based inspection can apply VoIP inspection, DLP, AntiSpam, Web Filtering, Antivirus, and ICAP.

 

Content processors (CP8 and CP9)

Most FortiGate models contain FortiASIC Content Processors (CPs) that accelerate IPsec and SSL VPN encryption/decryption and key exchance and flow-based content processing pattern matching. CPs work at the system level with tasks being offloaded to them as determined by the main CPU. Capabilities of the CPs vary by model. Newer FortiGate units include CP8 and new CP9 processors.

 

CP9 capabilities

The CP9 content processor provides the following services:

  • Flow-based inspection pattern matching acceleration with over 10Gbps throughput
  • High performance VPN bulk data engine
  • Key Exchange Processor that supports high performance IKE and RSA computation
  • DLP fingerprint support

 

CP8 capabilities

The CP8 content processor provides the following services:

  • Flow-based inspection pattern matching acceleration
  • High performance VPN bulk data engine
  • Key Exchange Processor that supports high performance IKE and RSA computation

Kernel

Traffic is now in the process of exiting the FortiGate unit. The kernel uses the routing table to forward the packet out the correct exit interface.

The kernel also checks the NAT table and determines if the source IP address for outgoing traffic must be changed using SNAT. SNAT is typically applied to traffic from an internal network heading out to the Internet. SNAT means the actual address of the internal network is hidden from the Internet.

 

Egress

Before exiting the FortiGate outgong packets that are entering an IPsec VPN tunnel are encrypted and encapsulated. IPSec VPN encryption is offloaded to and accelerated by CP8 or CP9 processors. Packets are then subject to botnet checking to make sure they are not destined for known botnet addresses.

Traffic shaping is then imposed, if configured, followed by WAN Optimization. The packet is then processed by the TCP/IP stack and exits out the egress interface.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Packet flow ingress and egress: FortiGates without network processor offloading

Packet flow ingress and egress: FortiGates without network processor offloading

This section describes the steps a packet goes through as it enters, passes through and exits from a FortiGate unit. This scenario shows all of the steps a packet goes through if a FortiGate does not contain network processors (such as the NP6).

packet-flow-ingress-and-egress

Ingress

All packets accepted by a FortiGate pass through a network interface and are processed by the TCP/IP stack. Then if DoS policies or Access Control List (ACL) policies have been configured the packet must pass through these as well as automatic IP integrity header checking.

DoS scans are handled very early in the life of the packet to determine whether the traffic is valid or is part of a DoS attack. The DoS module inspects all traffic flows but only tracks packets that can be used for DoS attacks (for example, TCP SYN packets), to ensure they are within the permitted parameters. Suspected DoS attacks are blocked, other packets are allowed.

IP integrity header checking reads the packet headers to verify if the packet is a valid TCP, UDP, ICMP, SCTP or GRE packet. The only verification that is done at this step to ensure that the protocol header is the correct length. If it is, the packet is allowed to carry on to the next step. If not, the packet is dropped.

Incoming IPsec packets that match configured IPsec tunnels on the FortiGate are decrypted after header checking is done.

If the packet is an IPsec packet, the IPsec engine attempts to decrypt it. If the IPsec engine can apply the correct encryption keys and decrypt the packet, the unencrypted packet is sent to the next step. Non-IPsec traffic and IPsec traffic that cannot be decrypted passes on to the next step without being affected. IPSec VPN decryption is offloaded to and accelerated by CP8 or CP9 processors.

 

Admission Control

Admission control checks to make sure the packet is not from a source or headed to a destination on the quarantine list. If configured admission control then imposes FortiHeartBeat protection that requires a device to have FortiClient installed before allowing packets from it. Admission control can also impose captive portal authentication on ingress traffic.

 

Kernel

Once a packet makes it through all of the ingress steps, the FortiOS kernel performs the following checks to determine what happens to the packet next.

 

Destination NAT

Destination NAT checks the NAT table and determines if the destination IP address for incoming traffic must be changed using DNAT. DNAT is typically applied to traffic from the Internet that is going to be directed to a server on a network behind the FortiGate. DNAT means the actual address of the internal network is hidden from the Internet. This step determines whether a route to the destination address actually exists. DNAT must take place before routing so that the FortiGate unit can route packets to the correct destination.

 

Routing

Routing uses the routing table to determine the interface to be used by the packet as it leaves the FortiGate unit. Routing also distinguishes between local traffic and forwarded traffic. Firewall policies are matched with packets depending on the source and destination interface used by the packet. The source interface is known when the packet is received and the destination interface is determined by routing.

 

Stateful inspection/Policy lookup/Session management

Stateful inspection looks at the first packet of a session and looks in the policy table to make a security decision about the entire session. Stateful inspection looks at packet TCP SYN and FIN flags to identity the start and end of a session, the source/destination IP, source/destination port and protocol. Other checks are also performed on the packet payload and sequence numbers to verify it as a valid session and that the data is not corrupted or poorly formed.

When the first packet is a session is matched in the policy table, stateful inspection adds information about the session to its session table. So when subsequent packets are received for the same session, stateful inspection can determine how to handle them by looking them up in the session table (which is more efficient than looking them up in the policy table).

Stateful inspection makes the decision to drop or allow a session and apply security features to it based on what is found in the first packet of the session. Then all subsequent packets in the same session are processed in the same way.

When the final packet in the session is processed, the session is removed from the session table. Stateful inspection also has a session idle timeout that removes sessions from the session table that have been idle for the length of the timeout.

See the Stateful Firewall Wikipedia article (https://en.wikipedia.org/wiki/Stateful_firewall) for an excellent description of stateful inspection.

 

Session helpers

Some protocols include information in the packet body (or payload) that must be analyzed to successfully process sessions for this protocol. For example, the SIP VoIP protocol uses TCP control packets with a standard destination port to set up SIP calls. To successfully process SIP VoIP calls, FortiOS must be able to extract information from the body of the SIP packet and use this information to allow the voice-carrying packets through the firewall.

FortiOS uses session helpers to analyze the data in the packet bodies of some protocols and adjust the firewall to allow those protocols to send packets through the firewall. FortiOS includes the following session helpers:

 

l  PPTP  

l

MMS
l  H323  

l

PMAP
l  RAS  

l

SIP
l  TNS  

l

DNS-UDP
l  TFTP  

l

RSH
l  RTSP  

l

DCERPC
l  FTP  

l

MGCP

 

User authentication

User authentication added to security policies is handled by the stateful inspection, which is why Firewall authentication is based on IP address. Authentication takes place after policy lookup selects a policy that includes authentication.

 

Device identification

Device identification is applied if required by the matching policy.

 

SSL VPN

Local SSL VPN traffic is treated like special management traffic as determined by the SSL VPN destination port. Packets are decrypted and are routed to an SSL VPN interface. Policy lookup is then used to control how packets are forwarded to their destination outside the FortiGate. SSL encryption and decryption is offloaded to and accelerated by CP8 or CP9 processors.

 

Local management traffic

Local management traffic terminates at a FortiGate interface. This can be any FortiGate interface including dedicated management interfaces. In multiple VDOM mode local management traffic terminates at the management interface. In Transparent mode, local management traffic terminates at the management IP address.

Local management traffic includes administrative access, some routing protocol communication, central management from FortiManager, communication with the FortiGuard network and so on. Management traffic is allowed or blocked according to the Local In Policy list which lists all management protocols and their access control settings. You configure local management access indirectly by configuring administrative access and so on.

Management traffic is processed by applications such as the web server which displays the FortiOS web-based manager, the SSH server for the CLI or the FortiGuard server to handle local FortiGuard database updates or FortiGuard Web Filtering URL lookups.

Local management traffic is not involved in subsequent stateful inspection steps.

SSL VPN traffic terminates at a FortiGate interface similar to local management traffic. However, SSL VPN traffic uses a different destination port number than administrative HTTPS traffic and can thus be detected and handled differently.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

High-level list of processes that affect packets

Highlevel list of processes that affect packets

In general packets passing through a FortiGate unit can be affected by the following processes. This is a complete high-level list of all of the processes. Not all packets see all of these processes. The processes a packet encounters depends on the type of packet and on the FortiGate software and hardware configuration.

 

Ingress packet flow

  • Network Interface
  • TCP/IP stack
  • DoS ACL
  • DoS Policy
  • IP integrity header checking
  • IPsec VPN decryption

Admission Control

  • Quarantine
  • FortiHeartBeat
  • User Authentication

Kernel

  • Destination NAT
  • Routing
  • Stateful inspection/Policy
  • Lookup/Session management
  • Session Helpers
  • User Authentication
  • Device Identification
  • SSL VPN
  • Local Management Traffic

 

UTM/NGFW

  • Flow-based inspection
  • NTurbo
  • IPSA
  • Proxy-based inspection

Kernel

  • Forwarding
  • Source NAT (SNAT)

Egress packet flow

  • IPsec VPN Encryption
  • Botnet check
  • Traffic shaping
  • WAN Optimization
  • TCP/IP stack
  • Network Interface

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Chapter 16 – Optimal Path Processing – Life of a Packet

Chapter 16 – Optimal Path Processing – Life of a Packet

 

 

Life of a Packet

This FortiOS Handbook chapter contains the following sections:

  • Optimal Path Processing introduces the concept of Optimal Path Processing.
  • Packet flow ingress and egress: FortiGates without network processor offloading describes the overall packet flow through a FortiGate with no network offloading (NP) hardware.
  • Packet flow: FortiGates with NP6 processors first packet of a new session similar to the previous section, the first packet in a new session that can be offloaded is processed in much the same way as on a FortiGate with no network processors.
  • Packet flow: FortiGates with NP6 processors – packets in an offloaded session describes the much simpler packet flow for a packet from an offloaded session.
  • UTM/NGFW packet flow: flow-based inspection describes how single pass UTM/NGFW processing occurs in a flow-based FortiGate or VDOM.
  • UTM/NGFW packet flow: proxy-based inspection describes how UTM/NGFW processing occurs in a proxy-based FortiGate or VDOM.
  • Comparison of inspection types shows how different security functions map to different inspection types.

 

 

Optimal Path Processing

Optimal Path Processing (OPP) uses the firewall policy configuration to determine the optimal path for processing a packet. Most FortiOS features are applied through Firewall policies and the features applied determine the path a packet takes. Using firewall policies you can impose UTM/NGFW processing on content traffic that may contain security threats (such as HTTP, email and so on). Many UTM/NGFW processes are offloaded and accelerated by CP8 or CP9 processors. Using the policy configuration you can apply a range of protection from basic IPS attack protection that looks for network-based attacks to full scale advanced threat management (ATM), application control, antivirus, DLP and so on.

You can also create policies for traffic that does not pose security threats and bypass UTM/NGFW checking. This control allows you to improve network performance without compromising security. On FortiGates with network processors (for example the NP6) much of the traffic that does not require UTM/NGFW processing can be offloaded to the NP6 processors freeing up FortiGate processing resources for other higher risk traffic.

In addition, many FortiGate models support NTurbo to offload flow-based UTM/NGFW sessions to network processors. Flow-based sessions can also be accelerated using IPSA technology to enhance offloading of pattern matching to CP8 and CP9 content processors.

This chapter begins with an overview of packet flow ingress and egress and includes a section that shows how NP6 offloading optimizes packet flow for packets that don’t require UTM/NGFW processing and for packets that use NTurbo to offload flow-based UTM/NGFW processing.

Next this chapter breaks down how packets pass through UTM/NGFW processing both for a single-pass flow- based UTM/NGFW processing and a proxy-based UTM/NGFW processing.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 Configuration

IPv6 Configuration

This section contains configuration information for IPv6 on FortiOS. Attempts are made to include scenarios in each section to better assist with the configuration and to orient the information toward a particular task.

You will find information on the following:

  • IPv6 address groups
  • IPv6 address ranges IPv6 firewall addresses ICMPv6
  • IPv6 IPsec VPN TCP MSS values BGP and IPv6
  • RIPng — RIP and IPv6
  • IPv6 RSSO support
  • IPv6 IPS
  • Blocking IPv6 packets by extension headers
  • IPv6 Denial of Service policies
  • Configure hosts in an SNMP v1/2c community to send queries or receive traps
  • IPv6 PIM sparse mode multicast routing

 

By default IPv6 configurations do not appear in the web-based manager. You need to enable the feature first.

 

To enable IPv6:

1. Go to System > Features.

2. Select IPv6 and click Apply.

 

IPv6 address groups

 

To create IPv6 address groups from existing IPv6 addresses – web-based manager

Your company has 3 internal servers with IPv6 addresses that it would like to group together for the purposes of a number of policies.

1. Go to Policy & Objects > Addresses and select Create New > Address Group.

2. Select IPv6 Group, and fill out the fields with the following information:

Group Name                              Web_Server_Cluster

Members                                    Web_Server-1

Web_Server-2

Web_Server-3

3. Select OK.

 

To create IPv6 address groups from existing IPv6 addresses – CLI

config firewall addrgrp6 edit Web_Server_Cluster

set member Web_Server-1 Web_Server-2 Web_Server-3 end

 

To verify that the addresses were added correctly

1. Go to Policy & Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.

2. From the CLI, enter the following commands:

config firewall addgrp6

edit <the name of the address that you wish to verify> Show full-configuration

 

IPv6 address ranges

You can configure IPv6 address ranges in both the GUI and the CLI.

 

To configure IPv6 address ranges – web-based manager:

1. Go to Policy & Objects > Addresses.

2. Set the Type to IP Range and enter the IPv6 addresses as shown:

 

To configure IPv6 address ranges – CLI:

config firewall address6

edit ipv6range

set type iprange

set start-ip 2001:db8:0:2::30 set end-ip 2001:db8:0:2::31

end

 

IPv6 firewall addresses

 

Scenario: Mail Server

You need to create an IPv6 address for the Mail Server on Port1 of your internal network. These server is on the network off of port1.

  • The IP address is 2001:db8:0:2::20/64
  • There should be a tag for this address being for a server.

1. Go to Policy & Objects > Addresses and select Create New > Address.

2. Select IPv6 Address and fill out the fields with the following information

Name                                          Mail_Server

Type                                            Subnet

Subnet / IP Range                     2001:db8:0:2::20/64

3. Select OK.

4. Enter the following CLI command:

config firewall address6 edit Mail_Server

set type ipmask

set subnet 2001:db8:0:2::20/64 set associated-interface port1

end

 

Scenario: First Floor Network

You need to create an IPv4 address for the subnet of the internal network off of Port1.These computers connect to port1. The network uses the IPv6 addresses: fdde:5a7d:f40b:2e9d:xxxx:xxxx:xxxx:xxxx

There should be a reference to this being the network for the 1st floor of the building.

1. Go to Policy & Objects > Addresses.

2. Select Create New > Address.Select IPv6 Address and fill out the fields with the following information:

Name                                           Internal_Subnet_1

Type                                            Subnet / IP Range

Subnet / IP Range                     2001:db8:0:2::/64

Comments                                  Network for 1st Floor

3. Select OK.

4. Enter the following CLI command:

config firewall address6 edit Internal_Subnet_1

set comment “Network for 1st Floor” set subnet 2001:db8:0:2::/64

end

 

To verify that the addresses were added correctly:

1. Go to Policy & Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.

2. Enter the following CLI command:

config firewall address6

edit <the name of the address that you wish to verify> Show full-configuration

 

 

ICMPv6

The IT Manager is doing some diagnostics and would like to temporarily block the successful replies of ICMP Node information Responses between 2 IPv6 networks.

The ICMP type for ICMP Node informations responses is 140. The codes for a successful response is 0.

 

To configure ICMPv6 – web-based manager:

1. Go to Policy & Objects > Services and select Create New > Service.

2. Fill out the fields with the following information

Name                                           diagnostic-test1

Service Type                              Firewall

Show in Service List                Enabled

Category                                     Uncategorized

Protocol Type                            ICMP6

Type                                            140

3. Select OK.

4. Enter the following CLI command:

config firewall service custom edit diagnostic-test1

set protocol ICMP6 set icmptype 140 set icmpcode 0

set visibility enable end

 

To verify that the category was added correctly:

1. Go to Policy & Objects > Services. Check that the services have been added to the services list and that they are correct.

2. Enter the following CLI command:

config firewall service custom

edit <the name of the service that you wish to verify>

show full-configuration

 

IPv6 IPsec VPN

This chapter describes how to configure your FortiGate unit’s IPv6 IPsec VPN functionality.

By default IPv6 configurations do not appear in the web-based manager. You need to enable the feature first.

 

To enable IPv6:

1. Go to System > Features.

2. Select IPv6 and click Apply.

 

The topics in this section include:

  • Overview of IPv6 IPsec support
  • Configuring IPv6 IPsec VPNs
  • Site-to-site IPv6 over IPv6 VPN example
  • Site-to-site IPv4 over IPv6 VPN example
  • Site-to-site IPv6 over IPv4 VPN example

 

Overview of IPv6 IPsec support

FortiOS supports route-based IPv6 IPsec, but not policy-based. This section describes how IPv6 IPsec support differs from IPv4 IPsec support.

Where both the gateways and the protected networks use IPv6 addresses, sometimes called IPv6 over IPv6, you can create either an auto-keyed or manually-keyed VPN. You can also combine IPv6 and IPv4 addressing in an auto-keyed VPN in the following ways:

 

IPv4 over IPv6                         The VPN gateways have IPv6 addresses.

The protected networks have IPv4 addresses. The phase 2 configurations at either end use IPv4 selectors.

 

IPv6 over IPv4

The VPN gateways have IPv4 addresses.

The protected networks use IPv6 addresses. The phase 2 configurations at either end use IPv6 selectors.

Compared with IPv4 IPsec VPN functionality, there are some limitations:

  • Except for IPv6 over IPv4, remote gateways with Dynamic DNS are not supported.
  • Selectors cannot be firewall address names. Only IP address, address range and subnet are supported.
  • Redundant IPv6 tunnels are not supported.

 

Certificates

On a VPN with IPv6 phase 1 configuration, you can authenticate using VPN certificates in which the common name (cn) is an IPv6 address. The cn-type keyword of the user peer command has an option, ipv6, to support this.

 

Configuring IPv6 IPsec VPNs

Configuration of an IPv6 IPsec VPN follows the same sequence as for an IPv4 route-based VPN: phase 1 settings, phase 2 settings, security policies, and routing.

 

Phase 1 configuration

In the web-based manager, you define the Phase 1 as IPv6 in the Advanced settings. Enable the IPv6 Version check box. You can then enter an IPv6 address for the remote gateway.

In the CLI, you define an IPsec phase 1 configuration as IPv6 by setting ip-version to 6. Its default value is 4. Then, the local-gw and remote-gw keywords are hidden and the corresponding local-gw6 and remote- gw6 keywords are available. The values for local-gw6 and remote-gw6 must be IPv6 addresses. For example:

config vpn ipsec phase1-interface edit tunnel6

set ip-version 6

set remote-gw6 0:123:4567::1234 set interface port3

set proposal 3des-md5 end

 

Phase 2 configuration

To create an IPv6 IPsec phase 2 configuration in the web-based manager, you need to define IPv6 selectors in the Advanced settings. Change the default “0.0.0.0/0” address for Source address and Destination address to the IPv6 value “::/0”. If needed, enter specific IPv6 addresses, address ranges or subnet addresses in these fields.

In the CLI, set src-addr-type and dst-addr-type to ip6, range6 or subnet6 to specify IPv6 selectors. By default, zero selectors are entered, “::/0” for the subnet6 address type, for example. The simplest IPv6 phase 2 configuration looks like this:

config vpn ipsec phase2-interface edit tunnel6_p2

set phase1name tunnel6 set proposal 3des-md5

set src-addr-type subnet6 set dst-addr-type subnet6

end

 

Security policies

To complete the VPN configuration, you need a security policy in each direction to permit traffic between the protected network’s port and the IPsec interface. You need IPv6 policies unless the VPN is IPv4 over IPv6.

 

Routing

Appropriate routing is needed for both the IPsec packets and the encapsulated traffic within them. You need a route, which could be the default route, to the remote VPN gateway via the appropriate interface. You also need a route to the remote protected network via the IPsec interface.

 

To create a static route – web-based manager:

1. Go to Network > Static Routes.

2. Select the drop-down arrow on the Create New button and select IPv6 Route.

3. Enter the information and select OK.

 

To create a static route – CLI:

1. In the CLI, use the router static6 command. For example, where the remote network is

fec0:0000:0000:0004::/64 and the IPsec interface is toB:

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toB

set dst fec0:0000:0000:0004::/64 next

end

If the VPN is IPV4 over IPv6, the route to the remote protected network is an IPv4 route. If the VPN is IPv6 over

IPv4, the route to the remote VPN gateway is an IPv4 route.

 

Site-tosite IPv6 over IPv6 VPN example

In this example, computers on IPv6-addressed private networks communicate securely over public IPv6 infrastructure.

 

Example IPv6-over-IPv6 VPN topology

 

Configure FortiGate A interfaces

Port 2 connects to the public network and port 3 connects to the local network.

config system interface edit port2

config ipv6

set ip6-address fec0::0001:209:0fff:fe83:25f2/64 end

next

edit port3 config ipv6

set ip6-address fec0::0000:209:0fff:fe83:25f3/64 end

next end

 

Configure FortiGate A IPsec settings

The phase 1 configuration creates a virtual IPsec interface on port 2 and sets the remote gateway to the public IP address FortiGate B. This configuration is the same as for an IPv4 route-based VPN, except that ip-version is set to 6 and the remote-gw6 keyword is used to specify an IPv6 remote gateway address.

config vpn ipsec phase1-interface edit toB

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd enable

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

By default, phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

 

config vpn ipsec phase2-interface edit toB2

set phase1name toB

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable

set src-addr-type subnet6 set dst-addr-type subnet6

end

 

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. The address all6 must be defined using the firewall address6 command as ::/0.

config firewall policy6 edit 1

set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always next

edit 2

set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always end

 

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB. A default route sends all IPv6 traffic out on port2.

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toB

set dst fec0:0000:0000:0004::/64 end

 

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. Security policies enable traffic to pass between the private network and the IPsec interface. Routing ensures traffic for the private network behind FortiGate A goes through the VPN and that all IPv6 packets are routed to the public network.

 

config system interface edit port2

config ipv6

set ip6-address fec0::0003:209:0fff:fe83:25c7/64 end

next

edit port3 config ipv6

set ip6-address fec0::0004:209:0fff:fe83:2569/64 end

end

config vpn ipsec phase1-interface edit toA

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd enable

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable

set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1

set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always next

edit 2

set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always end

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toA

set dst fec0:0000:0000:0000::/64

end

 

Site-tosite IPv4 over IPv6 VPN example

In this example, two private networks with IPv4 addressing communicate securely over IPv6 infrastructure.

 

Configure FortiGate A interfaces

Port 2 connects to the IPv6 public network and port 3 connects to the IPv4 LAN.

config system interface edit port2

config ipv6

set ip6-address fec0::0001:209:0fff:fe83:25f2/64 end

next

edit port3

set 192.168.2.1/24 end

 

Configure FortiGate A IPsec settings

The phase 1 configuration is the same as in the IPv6 over IPv6 example.

 

config vpn ipsec phase1-interface edit toB

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0003:209:0fff:fe83:25c7 set dpd enable

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

The phase 2 configuration is the same as you would use for an IPv4 VPN. By default, phase 2 selectors are set to accept all subnet addresses for source and destination.

config vpn ipsec phase2-interface edit toB2

set phase1name toB

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable end

 

Configure FortiGate A security policies

Security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. These are IPv4 security policies.

config firewall policy edit 1

set srcintf port3 set dstintf toB set srcaddr all set dstaddr all set action accept set service ANY

set schedule always next

edit 2

set srcintf toB set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY

set schedule always end

 

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv4 static route. A default route sends all IPv6 traffic, including the IPv6 IPsec packets, out on port2.

 

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toB

set dst 192.168.3.0/24 end

 

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the public IP address of FortiGate A. The IPsec phase 2 configuration has IPv4 selectors.

IPv4 security policies enable traffic to pass between the private network and the IPsec interface. An IPv4 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv6 static route ensures that all IPv6 packets are routed to the public network.

 

config system interface edit port2

config ipv6

set ip6-address fec0::0003:fe83:25c7/64 end

next

edit port3

set 192.168.3.1/24 end

config vpn ipsec phase1-interface edit toA

set ip-version 6

set interface port2

set remote-gw6 fec0:0000:0000:0001:209:0fff:fe83:25f2 set dpd enable

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable end

config firewall policy edit 1

set srcintf port3 set dstintf toA set srcaddr all set dstaddr all

set action accept set service ANY

set schedule always next

edit 2

set srcintf toA set dstintf port3 set srcaddr all set dstaddr all set action accept set service ANY

set schedule always end

config router static6 edit 1

set device port2 set dst 0::/0

next edit 2

set device toA

set dst 192.168.2.0/24 end

 

Site-tosite IPv6 over IPv4 VPN example

In this example, IPv6-addressed private networks communicate securely over IPv4 public infrastructure.

 

Configure FortiGate A interfaces

Port 2 connects to the IPv4 public network and port 3 connects to the IPv6 LAN.

 

config system interface edit port2

set 10.0.0.1/24 next

edit port3 config ipv6

set ip6-address fec0::0001:209:0fff:fe83:25f3/64 end

 

Configure FortiGate A IPsec settings

The phase 1 configuration uses IPv4 addressing.

 

config vpn ipsec phase1-interface edit toB

set interface port2

set remote-gw 10.0.1.1 set dpd enable

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

 

The phase 2 configuration uses IPv6 selectors. By default, phase 2 selectors are set to accept all subnet addresses for source and destination. The default setting for src-addr-type and dst-addr-type is subnet. The IPv6 equivalent is subnet6. The default subnet addresses are 0.0.0.0/0 for IPv4, ::/0 for IPv6.

 

config vpn ipsec phase2-interface edit toB2

set phase1name toB

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable

set src-addr-type subnet6 set dst-addr-type subnet6

end

 

Configure FortiGate A security policies

IPv6 security policies are required to allow traffic between port3 and the IPsec interface toB in each direction. Define the address all6 using the firewall address6 command as ::/0.

 

config firewall policy6 edit 1

set srcintf port3 set dstintf toB set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always next

edit 2

set srcintf toB set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always end

 

Configure FortiGate A routing

This simple example requires just two static routes. Traffic to the protected network behind FortiGate B is routed via the virtual IPsec interface toB using an IPv6 static route. A default route sends all IPv4 traffic, including the IPv4 IPsec packets, out on port2.

 

config router static6 edit 1

set device toB

set dst fec0:0000:0000:0004::/64 end

config router static edit 1

set device port2 set dst 0.0.0.0/0

set gateway 10.0.0.254 end

 

Configure FortiGate B

The configuration of FortiGate B is very similar to that of FortiGate A. A virtual IPsec interface toA is configured on port2 and its remote gateway is the IPv4 public IP address of FortiGate A. The IPsec phase 2 configuration has IPv6 selectors.

IPv6 security policies enable traffic to pass between the private network and the IPsec interface. An IPv6 static route ensures traffic for the private network behind FortiGate A goes through the VPN and an IPv4 static route ensures that all IPv4 packets are routed to the public network.

 

config system interface edit port2

set 10.0.1.1/24 next

edit port3 config ipv6

set ip6-address fec0::0004:209:0fff:fe83:2569/64 end

config vpn ipsec phase1-interface edit toA

set interface port2

set remote-gw 10.0.0.1 set dpd enable

set psksecret maryhadalittlelamb set proposal 3des-md5 3des-sha1

end

config vpn ipsec phase2-interface edit toA2

set phase1name toA

set proposal 3des-md5 3des-sha1 set pfs enable

set replay enable

set src-addr-type subnet6 set dst-addr-type subnet6

end

config firewall policy6 edit 1

set srcintf port3 set dstintf toA set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always next

edit 2

set srcintf toA set dstintf port3 set srcaddr all6 set dstaddr all6 set action accept set service ANY

set schedule always end

config router static6 edit 1

set device toA

set dst fec0:0000:0000:0000::/64 end

config router static edit 1

set device port2

set gateway 10.0.1.254 end

 

 

TCP MSS values

TCP MSS values, which control the maximum amount of data that can be sent in a single packet, can be set for IPv6 policies (for both the sender and the receiver). You can configure TCP MSS values in IPv6 using the following CLI commands:

 

config firewall policy6 edit <index_int>

set tcp-mss-sender <value>

set tcp-mss-receiver <value>

end

 

 

BGP and IPv6

FortiGate units support IPv6 over BGP using the same config router bgp command as IPv4, but different subcommands.

The main CLI keywords have IPv6 equivalents that are identified by the “6” on the end of the keyword, such as with config network6 or set allowas-in6.

 

IPv6 BGP commands include:

config router bgp

set activate6 {enable | disable}

set allowas-in6 <max_num_AS_integer>

set allowas-in-enable6 {enable | disable}

set as-override6 {enable | disable}

set attribute-unchanged6 [as-path] [med] [next-hop] set capability-default-originate6 {enable | disable} set capability-graceful-restart6 {enable | disable} set default-originate-route-map6 <routemap_str>

set distribute-list-in6 <access-list-name_str> set distribute-list-out6 <access-list-name_str> set filter-list-in6 <aspath-list-name_str>

set filter-list-out6 <aspath-list-name_str>

set maximum-prefix6 <prefix_integer>

set maximum-prefix-threshold6 <percentage_integer> set maximum-prefix-warning-only6 {enable | disable} set next-hop-self6 {enable | disable}

set prefix-list-in6 <prefix-list-name_str> set prefix-list-out6 <prefix-list-name_str> set remove-private-as6 {enable | disable} set route-map-in6 <routemap-name_str>

set route-map-out6 <routemap-name_str>

set route-reflector-client6 {enable | disable}

set route-server-client6 {enable | disable}

set send-community6 {both | disable | extended | standard}

set soft-reconfiguration6 {enable | disable}

set unsuppress-map6 <route-map-name_str>

config network6 config redistribute6

end

 

 

RIPng — RIP and IPv6

RIP next generation, or RIPng, is the version of RIP that supports IPv6.

This is an example of a typical small network configuration using RIPng routing.

Your internal R&D network is working on a project for a large international telecom company that uses IPv6. For this reason, you have to run IPv6 on your internal network and you have decided to use only IPv6 addresses.

Your network has two FortiGate units running the RIPng dynamic routing protocol. Both FortiGate units are connected to the ISP router and the internal network. This configuration provides some redundancy for the R&D internal network enabling it to reach the internet at all times.

 

This section includes the following topics:

  • Network layout and assumptions
  • Configuring the FortiGate units system information
  • Configuring RIPng on FortiGate units
  • Configuring other network devices
  • Testing the configuration
  • Debugging IPv6 on RIPng

Network layout and assumptions

 

Basic network layout

Your internal R&D network is working on a project for a large international telecom company that uses IPv6. For this reason, you have to run IPv6 on your internal network and you have decided to use only IPv6 addresses.

Your network has two FortiGate units running the RIPng dynamic routing protocol. Both FortiGate units are connected to the ISP router and the internal network. This configuration provides some redundancy for the R&D internal network enabling it to reach the internet at all times.

All internal computers use RIP routing, so no static routing is required. And all internal computers use IPv6 addresses.

Where possible in this example, the default values will be used or the most general settings. This is intended to provide an easier configuration that will require less troubleshooting.

In this example the routers, networks, interfaces used, and IP addresses are as follows:

 

Rip example network topology

 

Network Router Interface & Alias IPv6 address
 

R&D

 

Router1

 

port1 (internal)

 

2002:A0B:6565:0:0:0:0:0

     

port2 (ISP)

 

2002:AC14:7865:0:0:0:0:0

   

Router2

 

port1 (internal)

 

2002:A0B:6566:0:0:0:0:0

    port2 (ISP) 2002:AC14:7866:0:0:0:0:0

 

Network topology for the IPv6 RIPng example

 

Assumptions

The following assumptions have been made concerning this example:

  • All FortiGate units have 5.0+ firmware, and are running factory default settings.
  • All CLI and web-based manager navigation assumes the unit is running in NAT/Route operating mode, with VDOMs disabled.
  • All FortiGate units have interfaces labelled port1 and port2 as required.
  • All firewalls have been configured for each FortiGate unit to allow the required traffic to flow across interfaces.
  • All network devices are support IPv6 and are running RIPng.

 

Configuring the FortiGate units system information

Each FortiGate unit needs IPv6 enabled, a new hostname, and interfaces configured.

 

To configure system information on Router1 – web-based manager:

1. Go to Dashboard.

2. For Host name, select Change.

3. Enter “Router1”.

4. Go to System > Feature Select.

5. Enable IPv6 and click Apply.

6. Go to Network > Interfaces.

7. Edit port1 (internal) interface.

8. Set the following information, and select OK.

Alias                                           internal

IP/Netmask                                 2002:A0B:6565::/0

Administrative Access             HTTPS SSH PING

Description                                Internal RnD network

Administrative Status               Up

9. Edit port2 (ISP) interface.

10. Set the following information, and select OK.

Alias                                           ISP

IP/Netmask                                 2002:AC14:7865::/0

Administrative Access             HTTPS SSH PING

Description                                ISP and internet

Administrative Status               Up

 

To configure system information on Router1 – CLI:

config system global

set hostname Router1 set gui-ipv6 enable

end

config system interface edit port1

set alias internal

set allowaccess https ping ssh

set description “Internal RnD network” config ipv6

set ip6-address 2002:a0b:6565::/0 end

next

edit port2

set alias ISP

set allowaccess https ping ssh

set description “ISP and internet” config ipv6

set ip6-address 2002:AC14:7865::

end end

 

To configure system information on Router2 – web-based manager:

1. Go to Dashboard.

2. For Host name, select Change.

3. Enter “Router2”.

4. Go to System > Feature Select.

5. Enable IPv6 and click Apply.

6. Go to Network > Interfaces.

7. Edit port1 (internal) interface.

8. Set the following information, and select OK.

Alias                                           internal

IP/Netmask                                 2002:A0B:6566::/0

Administrative Access             HTTPS SSH PING

Description                                Internal RnD network

Administrative Status               Up

9. Edit port2 (ISP) interface.

10. Set the following information, and select OK.

Alias                                           ISP

IP/Netmask                                 2002:AC14:7866::/0

Administrative Access             HTTPS SSH PING

Description                                ISP and internet

Administrative Status               Up

 

To configure system information on Router2 – CLI:

config system global

set hostname Router2 set gui-ipv6 enable

end

config system interface edit port1

set alias internal

set allowaccess https ping ssh

set description “Internal RnD network” config ipv6

set ip6-address 2002:a0b:6566::/0 end

next

edit port2

set alias ISP

set allowaccess https ping ssh

set description “ISP and internet”

config ipv6

set ip6-address 2002:AC14:7866::

end end

 

Configuring RIPng on FortiGate units

Now that the interfaces are configured, you can configure RIPng on the FortiGate units.

There are only two networks and two interfaces to include — the internal network, and the ISP network. There is no redistribution, and no authentication. In RIPng there is no specific command to include a subnet in the RIP broadcasts. There is also no information required for the interfaces beyond including their name.

As this is a CLI only configuration, configure the ISP router and the other FortiGate unit as neighbors. This was not part of the previous example as this feature is not offered in the web-based manager. Declaring neighbors in the configuration like this will reduce the discovery traffic when the routers start up.

Since RIPng is not supported in the web-based manager, this section will only be entered in the CLI.

 

To configure RIPng on Router1 – CLI:

config router ripng config interface

edit port1 next

edit port2 end

config neighbor edit 1

set interface port1

set ipv6 2002:a0b:6566::/0 next

edit 2

set interface port2

set ipv6 2002:AC14:7805::/0 end

 

To configure RIPng on Router2 – CLI:

config router ripng config interface

edit port1 next

edit port2 end

config neighbor edit 1

set interface port1

set ipv6 2002:a0b:6565::/0 next

edit 2

set interface port2

set ipv6 2002:AC14:7805::/0 end

 

Configuring other network devices

The other devices on the internal network all support IPv6, and are running RIPng where applicable. They only need to know the internal interface network addresses of the FortiGate units.

The ISP routers need to know the FortiGate unit information such as IPv6 addresses.

 

Testing the configuration

In addition to normal testing of your network configuration, you must also test the IPv6 part of this example. For troubleshooting problems with your network, see the FortiOS Handbook Troubleshooting chapter.

 

Testing the IPv6 RIPng information

There are some commands to use when checking that your RIPng information is correct on your network. These are useful to check on your RIPng FortiGate units on your network. Comparing the output between devices will help you understand your network better, and also track down any problems.

diagnose ipv6 address list

View the local scope IPv6 addresses used as next-hops by RIPng on the FortiGate unit.

 

diagnose ipv6 route list

View ipv6 addresses that are installed in the routing table.

 

get router info6 routing-table

View the routing table. This information is almost the same as the previous command (diagnose ipv6 route list) however it is presented in an easier to read format.

 

get router info6 rip interface external

View brief output on the RIP information for the interface listed. The information includes if the interface is up or down, what routing protocol is being used, and whether passive interface or split horizon are enabled.

get router info6 neighbor-cache list

View the IPv6/MAC address mapping. This also displays the interface index and name associated with the address.

 

Debugging IPv6 on RIPng

The debug commands are very useful to see what is happening on the network at the packet level. There are a few changes to debugging the packet flow when debugging IPv6.

The following CLI commands specify both IPv6 and RIP, so only RIPng packets will be reported. The output from these commands will show you the RIPng traffic on your FortiGate unit including RECV, SEND, and UPDATE actions.

The addresses are in IPv6 format.

diagnose debug enable

diagnose ipv6 router rip level info diagnose ipv6 router rip all enable

These three commands will: Turn on debugging in general

Set the debug level to information, a verbose reporting level

Turn on all RIP router settings

Part of the information displayed from the debugging is the metric (hop count). If the metric is 16, then that destination is unreachable since the maximum hop count is 15.

In general, you should see an update announcement, followed by the routing table being sent out, and a received reply in response.

 

IPv6 RSSO support

RADIUS Single Sign-On (RSSO) is supported in IPv6, but can only be configured in the CLI:

config firewall policy6 edit <id>

set rsso enable

set fall-through-unathenticated enable end

 

IPv6 IPS

IPv6 IPS signature scan can be enabled by interface policy. The user can create an normal IPS sensor and assign it to the IPv6 interface policy.

 

config firewall interface-policy6 edit 1

set interface “port1” set srcaddr6 “all”

set dstaddr6 “all” set service6 “ANY”

set ips-sensor-status enable set ips-sensor “all_default”

next end

 

Blocking IPv6 packets by extension headers

FortiOS can now block IPv6 packets based on the extension headers, using the CLI syntax:

config firewall ipv6-eh-filter.

The following commands are now available:

  • set hop-opt {disable | enable}: Block packets with Hop-by-Hop Options header.
  • set dest-opt {disable | enable}: Block packets with Destination Options header.
  • set hdopt-type <integer>: Block specific Hop-by-Hop and/or Destination Option types (maximum 7 types, each between 0 and 255).
  • set routing {disable | enable}: Block packets with Routing header.
  • set routing-type <integar>: Block specific Routing header types (maximum 7 types, each between 0 and 255).
  • set fragment {disable | enable}: Block packets with Fragment header.
  • set auth {disable | enable}: Block packets with Authentication header.
  • set no-next {disable | enable}: Block packets with No Next header.

 

IPv6 Denial of Service policies

Denial of Service (DoS) policies can now be configured by going to Policy & Objects > IPv6 DoS Policy. For more information, refer to the “Interface Policies” section of the FortiOS Handbook Firewall chapter.

Configure hosts in an SNMP v1/2c community to send queries or receive traps

When you add a host to an SNMP v1/2c community you can now decide whether the FortiGate unit will accept queries from the host or whether the FortiGate unit will send traps to the host. You can also configure the host for both traps and queries. You can add up to 16 IPv4 hosts and up to 16 IPv6 hosts.

Use the following command to add two hosts to an SNMP community:

config system snmp community config hosts

edit 1

set interface port1 set ip 172.20.120.1 set host-type query

end

config hosts6 edit 1

set interface port6

set ip 2001:db8:0:2::30 set host-type trap

end

 

 

IPv6 PIM sparse mode multicast routing

FortiOS supports PIM sparse mode multicast routing for IPv6 multicast (multicast6) traffic and is compliant with

RFC 4601. You can use the following command to configure IPv6 PIM sparse multicast routing.

config router multicast6

set multicast-routing {enable | disable}

config interface

edit <interface-name>

set hello-interval <1-65535 seconds>

set hello-holdtime <1-65535 seconds>

end

config pim-sm-global config rp-address

edit <index>

set ipv6-address <ipv6-address>

end

 

The following diagnose commands for IPv6 PIM sparse mode are also available:

diagnose ipv6 multicast status diagnose ipv6 multicast vif diagnose ipv6 multicast mroute


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

New Fortinet FortiGate IPv6 MIB fields

New Fortinet FortiGate IPv6 MIB fields

The following IPv6 MIB fields have been added to the Fortinet FortiGate MIB. These MIB entries can be used to display IPv6 session and policy statistics.

 

  • IPv6 Session Counters: fgSysSes6Count fgSysSes6Rate1 fgSysSes6Rate10 fgSysSes6Rate30 fgSysSes6Rate60
  • IPv6 Policy Statistics: fgFwPol6StatsTable fgFwPol6StatsEntry FgFwPol6StatsEntry fgFwPol6ID fgFwPol6PktCount fgFwPol6ByteCount
  • IPv6 Session Statistics: fgIp6SessStatsTable fgIp6SessStatsEntry FgIp6SessStatsEntry fgIp6SessNumber

The fgSysSesCount and fgSysSesRateX MIBs report statistics for IPv4 plus IPv6 sessions combined. This behavior was not changed.

 

New OIDs

The following OIDs have been added: FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgSystem.fgSystemInfo

.fgSysSes6Count 1.3.6.1.4.1.12356.101.4.1.15
.fgSysSesRate1 1.3.6.1.4.1.12356.101.4.1.16
.fgSysSesRate10 1.3.6.1.4.1.12356.101.4.1.17
.fgSysSesRate30 1.3.6.1.4.1.12356.101.4.1.18
.fgSysSesRate60 1.3.6.1.4.1.12356.101.4.1.19

 

FORTINET-FORTIGATE-MIB:

fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ID  1.3.6.1.4.1.12356.101.5.1.2.2.1.1.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6PktCount  1.3.6.1.4.1.12356.101.5.1.2.2.1.2.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ByteCount  1.3.6.1.4.1.12356.101.5.1.2.2.1.3

 

FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgInetProto.fgInetProtoTables.fgIp6SessStatsTable.fgIp6SessStatsEntry.fgIp6SessNumber 1.3.6.1.4.1.12356.101.11.2.3.1.1

 

EXAMPLE SNMP get/walk output

// Session6 stats excerpt from sysinfo: snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.4

FORTINET-FORTIGATE-MIB::fgSysSes6Count.0 = Gauge32: 203

FORTINET-FORTIGATE-MIB::fgSysSes6Rate1.0 = Gauge32: 10 Sessions Per Second

FORTINET-FORTIGATE-MIB::fgSysSes6Rate10.0 = Gauge32: 2 Sessions Per Second
FORTINET-FORTIGATE-MIB::fgSysSes6Rate30.0 = Gauge32: 1 Sessions Per Second
FORTINET-FORTIGATE-MIB::fgSysSes6Rate60.0 = Gauge32: 0 Sessions Per Second

 

// FwPolicy6 table:

snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.5.1.2.2

FORTINET-FORTIGATE-MIB::fgFwPol6ID.1.3 = INTEGER: 3

FORTINET-FORTIGATE-MIB::fgFwPol6ID.1.4 = INTEGER: 4

FORTINET-FORTIGATE-MIB::fgFwPol6PktCount.1.3 = Counter64: 4329

FORTINET-FORTIGATE-MIB::fgFwPol6PktCount.1.4 = Counter64: 0

FORTINET-FORTIGATE-MIB::fgFwPol6ByteCount.1.3 = Counter64: 317776

FORTINET-FORTIGATE-MIB::fgFwPol6ByteCount.1.4 = Counter64: 0

 

// IP6SessNumber:

snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.11.2.3.1

FORTINET-FORTIGATE-MIB::fgIp6SessNumber.1 = Counter32: 89

 

 

IPv6 Per-IP traffic shaper

You can add any Per-IP traffic shaper to an IPv6 security policy using the following command:

config firewall policy6 edit 0

set per-ip-shaper “new-perip-shaper” end

 

DHCPv6

You can use DHCP with IPv6 using the CLI. To configure DHCP, ensure IPv6 is enabled by going to Syste> Feature Select and enabling IPv6. Use the CLI command

config system dhcp6

 

For more information on the configuration options, see the FortiGate CLI Reference.

 

DHCP delegated mode

Downstream IPv6 interfaces can receive address assignments on delegated subnets from a DHCP server that serves an upstream interface.

 

DHCPv6-PD configuration

Enable DHCPv6 Prefix Delegation on upstream interface (port10):

 

config system interface edit “port10”

config ipv6

set dhcp6-prefix-delegation enable end

end

 

Assign delegated prefix on downstream interface (port1). Optionally, specific delegated prefixes can be specified:

 

config system interface edit “port1”

config ipv6

set ip6-mode delegated

set ip6-upstream-interface “port10” set ip6-subnet ::1:0:0:0:1/64

set ip6-send-adv enable

config ipv6-delegated-prefix-list edit 1

set upstream-interface “port10” set autonomous-flag enable

set onlink-flag enable

set subnet 0:0:0:100::/64 end

end end

 

 

DHCPv6 Server configuration

Configuring a server that uses delegated prefix and DNS from upstream:

 

config system dhcp6 server edit 1

set dns-service delegated

set interface “wan2”

set upstream-interface “wan1” set ip-mode delegated

set subnet 0:0:0:102::/64 end

 

DHCPv6 relay

You can use the following command to configure a FortiGate interface to relay DHCPv6 queries and responses from one network to a network with a DHCPv6 server and back. The command enables DHCPv6 relay and includes adding the IPv6 address of the DHCP server that the FortiGate unit relays DHCPv6 requests to:

 

config system interface edit internal

config ipv6

set dhcp6-relay-service enable set dhcp6-relay-type regular

set dhcp6-relay-ip 2001:db8:0:2::30 end

 

IPv6 forwarding

 

Policies, IPS, Application Control, flow-based antivirus, web filtering, and DLP

FortiOS fully supports flow-based inspection of IPv6 traffic. This includes full support for IPS, application control, virus scanning, and web filtering.

To add flow-based inspection to IPv6 traffic go to Policy & Objects > IPv6 Policy and select Create New to add an IPv6 Security Policy. Configure the policy to accept the traffic to be scanned. Under Security Profiles, select the profiles to apply to the traffic.

 

Obtaining IPv6 addresses from an IPv6 DHCP server

From the CLI, you can configure any FortiGate interface to get an IPv6 address from an IPv6 DHCP server. For example, to configure the wan2 interface to get an IPv6 address from an IPv6 DHCP server enter the following command:

config system interface edit wan2

config ipv6

set ip6-mode dhcp end


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 in dynamic routing

IPv6 in dynamic routing

Unless otherwise stated, routing protocols apply to IPv4 addressing. This is the standard address format used. However, IPv6 is becoming more popular and new versions of the dynamic routing protocols have been introduced.

As with most advanced routing features on your FortiGate unit, IPv6 settings for dynamic routing protocols must be enabled before they will be visible in the GUI. To enable IPv6 configuration in the GUI, enable it in Syste> Feature Select. Alternatively, you can directly configure IPv6 for RIP, BGP, or OSPF protocols using CLI commands.

 

Dual stack routing

Dual stack routing implements dual IP layers in hosts and routers, supporting both IPv6 and IPv4. A dual stack architecture supports both IPv4 and IPv6 traffic and routes the appropriate traffic as required to any device on the network. Administrators can update network components and applications to IPv6 on their own schedule, and even maintain some IPv4 support indefinitely if that is necessary. Devices that are on this type of network, and connect to the Internet, can query Internet DNS servers for both IPv4 and IPv6 addresses. If the Internet site supports IPv6, the device can easily connect using the IPv6 address. If the Internet site does not support IPv6, then the device can connect using the IPv4 addresses.

In FortiOS, dual stack architecture it is not comprised merely of basic addressing functions that operate in both versions of IP. The other features of the appliance, such as UTM and routing, can also use both IP stacks.

If an organization with a mixed network uses an Internet service provider that does not support IPv6, they can use an IPv6 tunnel broker to connect to IPv6 addresses that are on the Internet. FortiOS supports IPv6 tunnelling over IPv4 networks to tunnel brokers. The tunnel broker extracts the IPv6 packets from the tunnel and routes them to their destinations.

 

IPv6 tunnelling

IPv6 Tunnelling is the act of tunnelling IPv6 packets from an IPv6 network through an IPv4 network to another IPv6 network. Unlike NAT, once the packet reaches its final destination, the true originating address of the sender will still be readable. The IPv6 packets are encapsulated within packets with IPv4 headers, which carry their IPv6 payload through the IPv4 network.

The key to IPv6 tunnelling is the ability of the two devices to be dual stack compatible in order to work with both IPv4 and IPv6 at the same time. In the process, the entry node of the tunnel portion of the path will create an encapsulating IPv4 header and transmit the encapsulated packet. The exit node at the end of the tunnel receives the encapsulated packet, removes the IPv4 header, updates the IPv6 header, and processes the packet.

There are two types of tunnels in IPv6:

Automatic tunnels: Automatic tunnels are configured by using IPv4 address information embedded in an IPv6 address – the IPv6 address of the destination host includes information about which IPv4 address the packet should be tunnelled to.

Configured tunnels: Configured tunnels must be configured manually. These tunnels are used when using IPv6 addresses that do not have any embedded IPv4 information. The IPv6 and IPv4 addresses of the endpoints of the tunnel must be specified.

Tunnel configuration

There are a few ways in which the tunnelling can be performed depending on which segment of the path between the endpoints of the session the encapsulation takes place.

Host to Host: Dual Stack capable hosts that are interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans the entire path taken by the IPv6 packets.

Network Device to Host: Dual Stack capable network devices can tunnel IPv6 packets to their final destination IPv6 or IPv4 host. This tunnel spans only the last segment of the path taken by the IPv6 packets.

The node that does the encapsulation needs to maintain soft state information about each tunnel in order to process the IPv6 packets.

Use the following command to tunnel IPv6 traffic over an IPv4 network. The IPv6 interface is configured under config system interface. The command to do the reverse is config system ipv6-tunnel. These commands are not available in Transparent mode.

config system sit-tunnel edit <tunnel name>

set destination <tunnel _address>

set interface <name>

set ip6 <address_ipv6>

set source <address_ipv4>

end

 

Variable Description Default
 

edit <tunnel_name>

 

Enter a name for the IPv6 tunnel.

 

No default.

 

destination <tunnel_

address>

 

The destination IPv4 address for this tunnel.

 

0.0.0.0

 

interface <name>

 

The interface used to send and receive traffic for this tunnel.

 

No default.

 

ip6 <address_ipv6>

 

The IPv6 address for this tunnel.

 

No default.

 

source <address_ipv4>

 

The source IPv4 address for this tun- nel.

 

0.0.0.0

 

Tunnelling IPv6 through IPsec VPN

A variation on tunnelling IPv6 through IPv4 is to use an IPsec VPN tunnel between two FortiGate devices. FortiOS supports IPv6 over IPsec. In this sort of scenario, two networks using IPv6 behind FortiGate units are separated by the Internet, which uses IPv4. An IPsec VPN tunnel is created between the FortiGate units and a tunnel is created over the IPv4-based Internet, but the traffic in the tunnel is IPv6. This has the additional advantage of securing the traffic.

For configuration information, see IPv6 IPsec VPN on page 1866.

 

SIP over IPv6

FortiOS supports Sessions Initiate Protocol (SIP) over IPv6. The SIP application-level gateway (ALG) can process SIP messages that use IPv6 addresses in the headers, bodies, and in the transport stack. The SIP ALG cannot modify the IPv6 addresses in the SIP headers so FortiGate units cannot perform SIP or RTP NAT over IPv6 and also cannot translate between IPv6 and IPv4 addresses.

In the scenario shown below, a SIP phone connects to the Internet through a FortiGate unit operating. The phone and the SIP and RTP servers all have IPv6 addresses.

The FortiGate unit has IPv6 security policies that accept SIP sessions. The SIP ALG understands IPv6 addresses and can forward IPv6 sessions to their destinations. Using SIP application control features the SIP ALG can also apply rate limiting and other settings to SIP sessions.

To enable SIP support for IPv6 add an IPv6 security policy that accepts SIP packets and includes a VoIP profile.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!