Basic IPv6 Configuration on a FortiGate Firewall

It’s really great that the FortiGate firewalls have a DHCPv6 server implemented. With this mandatory service, IPv6-only networks can be deployed directly behind a FortiGate because the stateless DHCPv6 server provides the DNS server addresses. (This is unlike Palo Alto or Cisco which have no DHCPv6 server implemented.)

However, the configuration on the FortiGate is really bad because nothing of the IPv6 features can be set via the GUI. (And this is called a Next-Generation Firewall? Not only the features count, but also the usability!) Everything must be done through the CLI which is sometimes hard to remember. Therefore I am publishing this memo of the appropriate CLI configuration commands.

Coming from Cisco devices (which only have the CLI ;)), the structure of the command line interface from Fortinet is quite different. That’s ok but I need some memos for that. What I really don’t like are the inconsistencies within the CLI, e.g. sometimes it’s called “ipv6”, sometimes “ip6”. Oh oh. At least the IPv6 policies can be configured through the GUI.

I am running a FortiWiFi 90D with FortiOS v5.2.4, build688.

End-User Interface

A basic end-user interface needs an IPv6 address, router advertisements with the O-flag (for using stateless DHCPv6), as well as an advertised prefix with the O- and A-flag. Furthermore, a stateless DHCPv6 server provides the DNS server addresses. Here we go:

Of course, there are much more options to fine-tune the timers, etc. But the just listed commands are the very basic configuration steps to make it running.

For your interest, this is how my IPv6-only network on a Windows 7 machine looks like with the just proposed settings:

FortiGate IPv6 Config Commands Windows 7 Network


For routing IPv6 traffic within the network, static routes or OSPFv3 are quite common. The commands for those are the following. (Have a look at my OSPFv3 blog post which lists the appropriate commands for many other firewall and router devices.)


Show and Get and Diagnose

To verify the working settings of the FortiGate, this CLI commands can be used:


Featured image “grüne Wiese mit Blick auf Kirchberg an der Raab” by Edi Schwarzl is licensed under CC BY-NC 2.0.

12 thoughts on “Basic IPv6 Configuration on a FortiGate Firewall

  1. Nice article thanks. You can enable IPv6 in the Fortinet GUI by enabling the IPv6 feature in the dashboard.

    1. Hey Lee.

      Yes, that is correct, BUT you can only configure the IPv6 address, static route, and the IPv6 policy. You can NOT configure anything else which is mandatory for IPv6 to run such as router advertisements, prefix-list, DHCPv6, or any routing protocol. ;(

  2. Thanks to your blog I found the ip6-send-adv flag ;-) !!
    I am struggling to get an IPv6 setup running between 2 vdom’s with an inter vdom link. Aaahhhhhh. I am beginning to think Fortinet forgot to think about this option.
    Ever tried such a setup ?

  3. I just found my error!!
    On a Fortigate, in the IPv6 policy you are allowed to use IPv4 services, even if they make no sense. I made a rule to allow PING, but that was only defined for IPv4, after creating a PING6 for ICMP6 everything worked.
    The interface for IPv6 policy should prevent you using IPv4 objects and vice versa.
    Indeed Fortigate has a very “next generation” GUI interface!!!

  4. Hello all,

    In FG-300C
    i have configured IPv6 in my WAN port and LAN port also all-to-all policy configured but i am unable to ping ISP gateway from internal network as well firewall.
    Please help me for the solution


    1. Hey Kalidas,

      please check the following:
      – To be able to ping the firewall, you must allow “Ping” within the “IPv6 Administrative Access” section on the interface.
      – Please double check the correct IPv6 addresses configured on the interfaces.
      – Do you have the correct static IPv6 routes, especially the default route?
      – Have a look at the IPv6 neighbor cache (diagnose ipv6 neighbor-cache list) to verify whether the LAN and WAN side really gets some neighbors.
      – Verify that you have correctly configure an IPv6 policy (!) and not an IPv4 policy. (Due to the **** design of FortiGates you have two different policies for each protocol.)


  5. How can I add an address ipv4 to a rule ipv6.
    I’m trying to replicate my policies in order to have load balance with another internet connection that uses ipv6

  6. hi,

    from ipv6 to ipv4 ?

    ipv6 -> ipv6 (fortigate)ipv4-> ipv4(router) -> internet

    How do I route? (When the gateway is ipv4.)
    Do not use policy64?

  7. Hello,
    Nice article, I’ve a question.
    I tried IPV6 6 month ago and I’ve a lot of configuration. How can I “clean” my Ipv6 section to try new configuration. I’ve 5 section “edit” Under ipv6 section and want to reset this part of configuration.

    1. Hey Jerome,

      similar to all other “edit” sections within the FortiGate CLI you can “delete” those statements. (And for “set” commands you can “unset” them.)

      For example, if you have the following:
      config ip6-prefix-list
      edit 2003:51:6012:162::/64
      –> If you are in the “config ip6-prefix-list” config path you can do the following:
      delete 2003:51:6012:162::/64

      Ciao, Johannes

Leave a Reply

Your email address will not be published. Required fields are marked *