Basic IPv6 Configuration on a FortiGate Firewall

It’s really great that the FortiGate firewalls have a DHCPv6 server implemented. With this mandatory service, IPv6-only networks can be deployed directly behind a FortiGate because the stateless DHCPv6 server provides the DNS server addresses. (This is unlike Palo Alto or Cisco which have no DHCPv6 server implemented.)

However, the configuration on the FortiGate is really bad because nothing of the IPv6 features can be set via the GUI. (And this is called a Next-Generation Firewall? Not only the features count, but also the usability!) Everything must be done through the CLI which is sometimes hard to remember. Therefore I am publishing this memo of the appropriate CLI configuration commands.

Coming from Cisco devices (which only have the CLI ;)), the structure of the command line interface from Fortinet is quite different. That’s ok but I need some memos for that. What I really don’t like are the inconsistencies within the CLI, e.g. sometimes it’s called “ipv6”, sometimes “ip6”. Oh oh. At least the IPv6 policies can be configured through the GUI.

I am running a FortiWiFi 90D with FortiOS v5.2.4, build688.

End-User Interface

A basic end-user interface needs an IPv6 address, router advertisements with the O-flag (for using stateless DHCPv6), as well as an advertised prefix with the O- and A-flag. Furthermore, a stateless DHCPv6 server provides the DNS server addresses. Here we go:

Of course, there are much more options to fine-tune the timers, etc. But the just listed commands are the very basic configuration steps to make it running.

For your interest, this is how my IPv6-only network on a Windows 7 machine looks like with the just proposed settings:

FortiGate IPv6 Config Commands Windows 7 Network

Routing

For routing IPv6 traffic within the network, static routes or OSPFv3 are quite common. The commands for those are the following. (Have a look at my OSPFv3 blog post which lists the appropriate commands for many other firewall and router devices.)

 

Show and Get and Diagnose

To verify the working settings of the FortiGate, this CLI commands can be used:

 

6 thoughts on “Basic IPv6 Configuration on a FortiGate Firewall

  1. Nice article thanks. You can enable IPv6 in the Fortinet GUI by enabling the IPv6 feature in the dashboard.

    1. Hey Lee.

      Yes, that is correct, BUT you can only configure the IPv6 address, static route, and the IPv6 policy. You can NOT configure anything else which is mandatory for IPv6 to run such as router advertisements, prefix-list, DHCPv6, or any routing protocol. ;(

  2. Thanks to your blog I found the ip6-send-adv flag 😉 !!
    I am struggling to get an IPv6 setup running between 2 vdom’s with an inter vdom link. Aaahhhhhh. I am beginning to think Fortinet forgot to think about this option.
    Ever tried such a setup ?

  3. I just found my error!!
    On a Fortigate, in the IPv6 policy you are allowed to use IPv4 services, even if they make no sense. I made a rule to allow PING, but that was only defined for IPv4, after creating a PING6 for ICMP6 everything worked.
    The interface for IPv6 policy should prevent you using IPv4 objects and vice versa.
    Indeed Fortigate has a very “next generation” GUI interface!!!

  4. Hello all,

    In FG-300C
    i have configured IPv6 in my WAN port and LAN port also all-to-all policy configured but i am unable to ping ISP gateway from internal network as well firewall.
    Please help me for the solution

    Thanks
    Kalidas

    1. Hey Kalidas,

      please check the following:
      – To be able to ping the firewall, you must allow “Ping” within the “IPv6 Administrative Access” section on the interface.
      – Please double check the correct IPv6 addresses configured on the interfaces.
      – Do you have the correct static IPv6 routes, especially the default route?
      – Have a look at the IPv6 neighbor cache (diagnose ipv6 neighbor-cache list) to verify whether the LAN and WAN side really gets some neighbors.
      – Verify that you have correctly configure an IPv6 policy (!) and not an IPv4 policy. (Due to the **** design of FortiGates you have two different policies for each protocol.)

      Ciao,
      Johannes

Leave a Reply

Your email address will not be published. Required fields are marked *