Trying to change an IPv6 Link-Local Address on a FortiGate

I got an email where someone asked whether I know how to change the link-local IPv6 addresses on a FortiGate similar to any other network/firewall devices. He could not find anything about this on the Fortinet documentation nor on Google.

Well, I could not find anything either. What’s up? It’s not new to me that you cannot really configure IPv6 on the FortiGate GUI, but even on the CLI I couldn’t find anything about changing this link-local IPv6 address from the default EUI-64 based one to a manually assigned one. Hence I opened a ticket at Fortinet. It turned out that you cannot *change* this address at all, but that you must *add* another LL address which will be used for the router advertisements (RA) after a reboot (!) of the firewall. Stupid design!

Again and again and again I am not happy at all with the IPv6 implementation on the FortiGates. Too many bugs and features missing, while everything is too complicated to configure. (Have a look at my Fortinet feature requests.) For the following tests I used a FortiGate FG-90D with firmware v5.6.5 build1600 (GA).

Before (Default Behaviour)

Before I touched the config the state of IPv6 was the following. Have a look at the “fg-trust” interface with its link-local address in line 12:

The configuration at this point was:

And a Linux machine got the following routing table, in which the default route had a gateway of fe80::a5b:eff:fea1:835e:


Configuration of the Link-Local Address

To add a link-local address you need the “config ip6-extra-addr” submenu. I added the quite simple fe80::1/64 address to that interface, that is:

Now, in order to have the router advertisements sent from this newly created link-local address, you have to reboot the firewall! Come on Fortinet, you need a complete reboot for this?!? (Note that the support ticket told me to disable the “ip6-send-adv” before adding the LL address, and enabling it again after that. But this was not successful. At this point the RAs were still sent from the old EUI-64 based LL address.) Hence a reboot:



After this changes and the reboot the added link-local IPv6 was present (line 6):

The complete configuration section for this interface looked like this:

And the Linux machine (after a reboot as well) got the correct next hop for its default route:

Accordingly I could verify that the router advertisements were sent from my added link-local address fe80::1:


That’s it. I am not happy with this approach from Fortinet in “changing” the link-local address. On other firewalls such as the Palo Alto Networks firewall you can clearly change the behaviour of the interface ID portion, and it even works without rebooting the firewall:


Featured image “Buy Local” by Mariano Mantel is licensed under CC BY-NC 2.0.

2 thoughts on “Trying to change an IPv6 Link-Local Address on a FortiGate

  1. Hi,

    I have visited you excellent blog.Congratulations!
    I hope it will be more successfull day by day.

    I am writing articles on different websites to collect links to my network blog. Do you accept guest bloggers on you website?

    If you accept, I will be happy to write a blog post on you website on any network lesson.

    Hope to hear from you soon,

    Kind Regards,

    Gokhan Kosem

  2. Hello Johannes,
    thank you for publishing a hint about this “feature”.
    I’m running a Fortigate with 6.0.6 and another one with 6.2.1 and both still need a reboot to get the extra address full active in RA messages.
    It took more reboot in my case because I had a line “set ip6-retrans-time 1795” and only without this line the router in the RA message change to fe80::1

Leave a Reply

Your email address will not be published. Required fields are marked *