Trying to change an IPv6 Link-Local Address on a FortiGate

I got an email where someone asked whether I know how to change the link-local IPv6 addresses on a FortiGate similar to any other network/firewall devices. He could not find anything about this on the Fortinet documentation nor on Google.

Well, I could not find anything either. What’s up? It’s not new to me that you cannot really configure IPv6 on the FortiGate GUI, but even on the CLI I couldn’t find anything about changing this link-local IPv6 address from the default EUI-64 based one to a manually assigned one. Hence I opened a ticket at Fortinet. It turned out that you cannot *change* this address at all, but that you must *add* another LL address which will be used for the router advertisements (RA) after a reboot (!) of the firewall. Stupid design!

Again and again and again I am not happy at all with the IPv6 implementation on the FortiGates. Too many bugs and features missing, while everything is too complicated to configure. (Have a look at my Fortinet feature requests.) For the following tests I used a FortiGate FG-90D with firmware v5.6.5 build1600 (GA).

Before (Default Behaviour)

Before I touched the config the state of IPv6 was the following. Have a look at the “fg-trust” interface with its link-local address in line 12:

The configuration at this point was:

And a Linux machine got the following routing table, in which the default route had a gateway of fe80::a5b:eff:fea1:835e:

 

Configuration of the Link-Local Address

To add a link-local address you need the “config ip6-extra-addr” submenu. I added the quite simple fe80::1/64 address to that interface, that is:

Now, in order to have the router advertisements sent from this newly created link-local address, you have to reboot the firewall! Come on Fortinet, you need a complete reboot for this?!? (Note that the support ticket told me to disable the “ip6-send-adv” before adding the LL address, and enabling it again after that. But this was not successful. At this point the RAs were still sent from the old EUI-64 based LL address.) Hence a reboot:

After

After this changes and the reboot the added link-local IPv6 was present (line 6):

The complete configuration section for this interface looked like this:

And the Linux machine (after a reboot as well) got the correct next hop for its default route:

Accordingly I could verify that the router advertisements were sent from my added link-local address fe80::1:

Competitors

That’s it. I am not happy with this approach from Fortinet in “changing” the link-local address. On other firewalls such as the Palo Alto Networks firewall you can clearly change the behaviour of the interface ID portion, and it even works without rebooting the firewall:

Cheers.

Featured image “Buy Local” by Mariano Mantel is licensed under CC BY-NC 2.0.

5 thoughts on “Trying to change an IPv6 Link-Local Address on a FortiGate

  1. Hello Johannes,
    thank you for publishing a hint about this “feature”.
    I’m running a Fortigate with 6.0.6 and another one with 6.2.1 and both still need a reboot to get the extra address full active in RA messages.
    It took more reboot in my case because I had a line “set ip6-retrans-time 1795” and only without this line the router in the RA message change to fe80::1

  2. Hi Johannes,
    one more question about this wonderful feature:
    Did you tried to change the ip6-extra-addr on more than one interface to same fe80::1/64 address? Which result did you see after expiring livetime of router address?
    In my test the client lost the default router address and I have to disconnect and reconnect the network cable to get again a working ipv6 configuration.

    By the way:
    I changed fe80-address on Cisco ASA, works wonderful and looks wonderful in Wireshark, too. Well done, Cisco, at this point!

    1. Hi Ulrich,

      no, I havn’t tested something like that.

      Whatever you do, keep in mind that this is a FortiGate! Do NOT expect that it works as expected. Do NOT configure anything that isn’t really needed. Do NOT configure any complicated things at all.

      (Not to say: Do NOT use it but buy a more profound firewall. ;))

      Have a good day
      Johannes

  3. Hi Johannes,
    about the change of link-local address on Palo Alto Networks Firewall: I found at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJ6CAK this isn’t supported. Can you provide your PAN-OS Version and a few config lines how to configure it?
    Looking forward to read new posts with tag “link-local-address” :-)

    For all readers using a Cisco ASA [Version 9.12(3)]:
    interface GigabitEthernet x/y
    ipv6 address fe80::1 link-local
    exit

    Nice day and stay healthy
    Ulrich

    1. Hello Ulrich,

      interesting knowledgebase article from PAN. I have just tested it again, and it IS possible. I have change the interface ID of a layer 3 subinterface to “2311”:

      set network interface ethernet ethernet1/5 layer3 units ethernet1/5.224 ipv6 interface-id 2311

      Verifying it through the CLI:
      weberjoh@pa> show interface ethernet1/5.224

      --------------------------------------------------------------------------------
      Name: ethernet1/5.224, ID: 257, 802.1q tag: 224
      Operation mode: layer3
      Virtual router default
      Interface MTU 1500
      Interface IP address: 193.24.227.225/27
      Interface IPv6 address: fe80::2311/64
      2001:470:765b::1/64
      DAD: enabled
      NDP Monitoring: enabled
      IPv6 Client Mode: disabled
      Router Advertisement: enabled

      And the routing table from a Linux (Raspbian):
      pi@pi05-random:~ $ ip -6 r s
      2001:470:765b::/64 dev enxb827eb03a0ac proto kernel metric 202 pref medium
      fe80::/64 dev enxb827eb03a0ac proto kernel metric 256 pref medium
      default via fe80::2311 dev enxb827eb03a0ac metric 202 pref medium

      Hence, the RA is really sending the manually configured interface ID.
      Q.E.D.

      (Maybe this is only true for subinterfaces?!?)

Leave a Reply

Your email address will not be published. Required fields are marked *