Basic IPv6 Configuration on a FortiGate Firewall

It’s really great that the FortiGate firewalls have a DHCPv6 server implemented. With this mandatory service, IPv6-only networks can be deployed directly behind a FortiGate because the stateless DHCPv6 server provides the DNS server addresses. (This is unlike Palo Alto or Cisco which have no DHCPv6 server implemented.)

UPDATE: In the meantime Fortinet has implemented the RDNSS and DNSSL options as well. Great. Hence you don’t need DHCPv6 at all anymore to run an IPv6-only network. I updated my listings below as well.

However, the configuration on the FortiGate is really bad because nothing of the IPv6 features can be set via the GUI. (And this is called a Next-Generation Firewall? Not only the features count, but also the usability!) Everything must be done through the CLI which is sometimes hard to remember. Therefore I am publishing this memo of the appropriate CLI configuration commands.

Note that this post is one of many related to IPv6. Click here for a structured list.

Coming from Cisco devices (which only have the CLI ;)), the structure of the command line interface from Fortinet is quite different. That’s ok but I need some memos for that. What I really don’t like are the inconsistencies within the CLI, e.g. sometimes it’s called “ipv6”, sometimes “ip6”. Oh oh. At least the IPv6 policies can be configured through the GUI.

I am running a FortiWiFi 90D with FortiOS v5.2.4, build688.

End-User Interface w/ DHCPv6

A basic end-user interface needs an IPv6 address, router advertisements with the O-flag (for using stateless DHCPv6), as well as an advertised prefix with the O- and A-flag. Furthermore, a stateless DHCPv6 server provides the DNS server addresses. Here we go:

Of course, there are much more options to fine-tune the timers, etc. But the just listed commands are the very basic configuration steps to make it running.

For your interest, this is how my IPv6-only network on a Windows 7 machine looks like with the just proposed settings:

FortiGate IPv6 Config Commands Windows 7 Network

End-User Interface w/ RDNSS

Tested on a FortiGate FG-90D with firmware v5.6.8 build1672 (GA), I am using the “IPv6 Router Advertisement Options for DNS Configuration”, RFC 8106, namely the recursive DNS server option (RDNSS) and DNS search list option (DNSSL). With these two options there is no need for any kind of DHCPv6 anymore. Everything solely relies on the RA, hence only SLAAC is used. Note that the O-flag is NOT sent anymore:

Looking at those RAs with Wireshark you can see all these options in place, while there is no flag set in the RA itself. (The “on-link” and “autonomous address-configuration” flags are within the prefix information option. Those are not seen in the following screenshot):

Routing

For routing IPv6 traffic within the network, static routes or OSPFv3 are quite common. The commands for those are the following. (Have a look at my OSPFv3 blog post which lists the appropriate commands for many other firewall and router devices.)

 

Show and Get and Diagnose

To verify the working settings of the FortiGate, this CLI commands can be used:

 

Featured image “grüne Wiese mit Blick auf Kirchberg an der Raab” by Edi Schwarzl is licensed under CC BY-NC 2.0.

24 thoughts on “Basic IPv6 Configuration on a FortiGate Firewall

  1. Nice article thanks. You can enable IPv6 in the Fortinet GUI by enabling the IPv6 feature in the dashboard.

    1. Hey Lee.

      Yes, that is correct, BUT you can only configure the IPv6 address, static route, and the IPv6 policy. You can NOT configure anything else which is mandatory for IPv6 to run such as router advertisements, prefix-list, DHCPv6, or any routing protocol. ;(

  2. Thanks to your blog I found the ip6-send-adv flag ;-) !!
    I am struggling to get an IPv6 setup running between 2 vdom’s with an inter vdom link. Aaahhhhhh. I am beginning to think Fortinet forgot to think about this option.
    Ever tried such a setup ?

  3. I just found my error!!
    On a Fortigate, in the IPv6 policy you are allowed to use IPv4 services, even if they make no sense. I made a rule to allow PING, but that was only defined for IPv4, after creating a PING6 for ICMP6 everything worked.
    The interface for IPv6 policy should prevent you using IPv4 objects and vice versa.
    Indeed Fortigate has a very “next generation” GUI interface!!!

  4. Hello all,

    In FG-300C
    i have configured IPv6 in my WAN port and LAN port also all-to-all policy configured but i am unable to ping ISP gateway from internal network as well firewall.
    Please help me for the solution

    Thanks
    Kalidas

    1. Hey Kalidas,

      please check the following:
      – To be able to ping the firewall, you must allow “Ping” within the “IPv6 Administrative Access” section on the interface.
      – Please double check the correct IPv6 addresses configured on the interfaces.
      – Do you have the correct static IPv6 routes, especially the default route?
      – Have a look at the IPv6 neighbor cache (diagnose ipv6 neighbor-cache list) to verify whether the LAN and WAN side really gets some neighbors.
      – Verify that you have correctly configure an IPv6 policy (!) and not an IPv4 policy. (Due to the **** design of FortiGates you have two different policies for each protocol.)

      Ciao,
      Johannes

  5. How can I add an address ipv4 to a rule ipv6.
    I’m trying to replicate my policies in order to have load balance with another internet connection that uses ipv6

  6. hi,

    from ipv6 to ipv4 ?

    ipv6 -> ipv6 (fortigate)ipv4-> ipv4(router) -> internet

    How do I route? (When the gateway is ipv4.)
    Do not use policy64?

  7. Hello,
    Nice article, I’ve a question.
    I tried IPV6 6 month ago and I’ve a lot of configuration. How can I “clean” my Ipv6 section to try new configuration. I’ve 5 section “edit” Under ipv6 section and want to reset this part of configuration.

    1. Hey Jerome,

      similar to all other “edit” sections within the FortiGate CLI you can “delete” those statements. (And for “set” commands you can “unset” them.)

      For example, if you have the following:
      config ip6-prefix-list
      edit 2003:51:6012:162::/64
      –> If you are in the “config ip6-prefix-list” config path you can do the following:
      delete 2003:51:6012:162::/64

      Ciao, Johannes

  8. Hello, my device is Fortigate 92D running Fortios 6.0.4 and Fortios 5.4, there are problems in both system versions, I set IPv6 and DHCP6, the computer can not obtain IPv6 IP through DHCP6, but can pass slaac Obtain a set of IPv6 IP. If I set the IPv6 IP to the network card, the computer can’t ping the internal gateway, and I can’t connect to the external network. But the Fortigate can ping the internal gateway and the external network. My settings are as follows. Can you help me to see where the settings are wrong?

    PS: I am from Taiwan, some English is not good, please forgive me….

    wan1:
    config system interface
    edit “wan1”
    set vdom “root”
    set ip 211.***.***.*** 255.255.255.0
    set type physical
    set estimated-upstream-bandwidth 40000
    set estimated-downstream-bandwidth 100000
    set role wan
    set snmp-index 1
    config ipv6
    set ip6-address 2001:b030:****:****::1/64
    end
    next
    end

    internal:
    config system interface
    edit “internal”
    set vdom “root”
    set ip 192.168.1.1 255.255.255.0
    set allowaccess ping https ssh http fgfm capwap
    set type hard-switch
    set device-identification enable
    set device-identification-active-scan enable
    set role lan
    set snmp-index 5
    config ipv6
    set ip6-address 2001:b030:****:****::1/64
    set ip6-allowaccess ping https ssh http fgfm capwap
    set dhcp6-information-request enable
    set ip6-send-adv enable
    set ip6-other-flag enable
    config ip6-prefix-list
    edit 2001:b030:****:****::/64
    set autonomous-flag enable
    set onlink-flag enable
    next
    end
    end
    next
    end

    dhcp6:
    config system dhcp6 server
    edit 1
    set lease-time 86400
    set subnet 2001:b030:****:****::/64
    set interface “internal”
    config ip-range
    edit 1
    set start-ip 2001:b030:****:****::2
    set end-ip 2001:b030:****:****::200
    next
    end
    set dns-server1 2001:b000:168::1
    set dns-server2 2001:b000:168::2
    set dns-server3 2001:4860:4860::8888
    next
    end

    1. Hello cf,

      I am sorry, but I cannot troublehsoot your issue remotely. Please open a ticket at Fortinet for further troubleshooting.

      Try to capture the RAs from the FortiGate and analyze them in Wireshark. Have a look at the flags (A, O, M, etc.). Are they correctly set according to your setup?
      You can also try different clients. Windows/Android/iOS behave differently when it comes to SLAAC vs. stateful DHCPv6.

      Cheers,
      Johannes

    2. Hello cf,

      Did you find your problem concerning IPv6 on Fortigate 92D?

      I just spent around 6 hours troubleshooting the same things and I’ve found the problem. I thought I’d let you know:

      Fortigate/Fortiwifi 92D does not support STP (hardware limitation). A command has been introduced starting FortiOS 5.4.1 (yes, still applicable today with version 6.0.4) that messes with IPv6 behavior (among other things). Just disable it:

      Config system global
      set hw-switch-ether-filter disable
      end

      It’s actually written in the release notes… If we just bothered reading those. lol.

      Enjoy,

  9. hello
    Does anyone knows if there is a problem to assign both ipv4 and ipv6 on the same interface.
    I tried doing that but got this error message:
    edit LAN_1
    set secondary-IP enable
    config ipv6
    config ip6-extra-addr
    edit fd9d:22d3:cd28:7257::2/64
    end

    Please configure primary IPv6 address prefix first
    object set operator error, -20 discard the setting
    Command fail. Return code -20

  10. Dear All,

    i am unable to ping IPv6 ISP gateway from forigate-30E (v6.0.4 build0231 (GA))

    WAN IP configured 2401:0:4000::50b/127
    gateway -2401:0:4000::50a
    static default route added towards 2401:0:4000::50a
    Ipv6 policy configured & all traffic allowed for any interface

    but still not able to ping Ipv6 gate .
    stats:
    execute ping6 2401:0:4000::50b
    PING 2401:0:4000::50b(2401:0:4000::50b) from 2401:0:4000::50b : 56 data bytes
    64 bytes from 2401:0:4000::50b: icmp_seq=1 ttl=64 time=0.077 ms
    64 bytes from 2401:0:4000::50b: icmp_seq=2 ttl=64 time=0.053 ms
    64 bytes from 2401:0:4000::50b: icmp_seq=3 ttl=64 time=0.040 ms
    64 bytes from 2401:0:4000::50b: icmp_seq=4 ttl=64 time=0.051 ms
    64 bytes from 2401:0:4000::50b: icmp_seq=5 ttl=64 time=0.041 ms

    — 2401:0:4000::50b ping statistics —
    5 packets transmitted, 5 packets received, 0% packet loss, time 4043ms
    rtt min/avg/max/mdev = 0.040/0.052/0.077/0.014 ms

    execute ping6 2401:0:4000::50a
    PING 2401:0:4000::50a(2401:0:4000::50a) from 2401:0:4000::50b : 56 data bytes

    — 2401:0:4000::50a ping statistics —
    5 packets transmitted, 0 packets received, 100% packet loss, time 10013ms

    1. Hey Muhammad.

      Just some ideas:
      – It is not recommended to configure /127 networks. You should go for /64 (unless your ISP forces you to use /127).
      – Are you pinging from the correct interface? You can set the source interface via “execute ping6-options source”
      – Have you verified the NDP cache? (Which is like ARP with IPv4.) That is: Is the MAC address of your default gateway resolved correctly by the FortiGate?

      Ciao
      Johannes

  11. Hello all,

    I played around with IPv6 and DHCPv6 in FortiOS (6.0.13) because I want to send the NTP server information to the clients by the dhcp6 server of the Fortigate.
    I share this there maybe someone else can find it with help of Bing, Google and so on.

    Now my setting configured like this:
    config system dhcp6 server
    edit 64
    set rapid-commit enable
    set lease-time 7200
    set domain “ipv6only.nat64.lan”
    set subnet 2001:db8:f0:6464::/64
    set interface “port3”
    set option1 56 ‘0001001020010db800f00002000000000ac30123’ # NTP IPv6 server address 2001:db8:f0:2::ac3:123
    set option2 56 ‘00030013013302646504706f6f6c036e7470036f726700’ # IPv6 NTP server hostname (FQDN) 3.de.pool.ntp.org
    config ip-range
    edit 1
    set start-ip 2001:db8:f0:6464::6401
    set end-ip 2001:db8:f0:6464::64ff
    next
    end
    set dns-server1 2001:db8:f0:3::53
    set dns-server2 2001:db8:f0:8::53
    next
    end

    You can use option1 or option2 or both, depending if you want to publish an ipv6 address or a hostname.
    You can publish several hostnames, too. For this I recommend to read (and understand) RFC 5908, chapter 4.3. For me it was a small fight.

    @Johannes: If you prefer to have a more detailed post with more details how to create the hex string, please contact me. I can prepare this.

Leave a Reply

Your email address will not be published. Required fields are marked *