Basic IPv6 Configuration on a FortiGate Firewall

It’s really great that the FortiGate firewalls have a DHCPv6 server implemented. With this mandatory service, IPv6-only networks can be deployed directly behind a FortiGate because the stateless DHCPv6 server provides the DNS server addresses. (This is unlike Palo Alto or Cisco which have no DHCPv6 server implemented.)

However, the configuration on the FortiGate is really bad because nothing of the IPv6 features can be set via the GUI. (And this is called a Next-Generation Firewall? Not only the features count, but also the usability!) Everything must be done through the CLI which is sometimes hard to remember. Therefore I am publishing this memo of the appropriate CLI configuration commands.

Coming from Cisco devices (which only have the CLI ;)), the structure of the command line interface from Fortinet is quite different. That’s ok but I need some memos for that. What I really don’t like are the inconsistencies within the CLI, e.g. sometimes it’s called “ipv6”, sometimes “ip6”. Oh oh. At least the IPv6 policies can be configured through the GUI.

I am running a FortiWiFi 90D with FortiOS v5.2.4, build688.

End-User Interface

A basic end-user interface needs an IPv6 address, router advertisements with the O-flag (for using stateless DHCPv6), as well as an advertised prefix with the O- and A-flag. Furthermore, a stateless DHCPv6 server provides the DNS server addresses. Here we go:

Of course, there are much more options to fine-tune the timers, etc. But the just listed commands are the very basic configuration steps to make it running.

For your interest, this is how my IPv6-only network on a Windows 7 machine looks like with the just proposed settings:

FortiGate IPv6 Config Commands Windows 7 Network

Routing

For routing IPv6 traffic within the network, static routes or OSPFv3 are quite common. The commands for those are the following. (Have a look at my OSPFv3 blog post which lists the appropriate commands for many other firewall and router devices.)

 

Show and Get and Diagnose

To verify the working settings of the FortiGate, this CLI commands can be used:

 

Featured image “grüne Wiese mit Blick auf Kirchberg an der Raab” by Edi Schwarzl is licensed under CC BY-NC 2.0.

15 thoughts on “Basic IPv6 Configuration on a FortiGate Firewall

  1. Nice article thanks. You can enable IPv6 in the Fortinet GUI by enabling the IPv6 feature in the dashboard.

    1. Hey Lee.

      Yes, that is correct, BUT you can only configure the IPv6 address, static route, and the IPv6 policy. You can NOT configure anything else which is mandatory for IPv6 to run such as router advertisements, prefix-list, DHCPv6, or any routing protocol. ;(

  2. Thanks to your blog I found the ip6-send-adv flag ;-) !!
    I am struggling to get an IPv6 setup running between 2 vdom’s with an inter vdom link. Aaahhhhhh. I am beginning to think Fortinet forgot to think about this option.
    Ever tried such a setup ?

  3. I just found my error!!
    On a Fortigate, in the IPv6 policy you are allowed to use IPv4 services, even if they make no sense. I made a rule to allow PING, but that was only defined for IPv4, after creating a PING6 for ICMP6 everything worked.
    The interface for IPv6 policy should prevent you using IPv4 objects and vice versa.
    Indeed Fortigate has a very “next generation” GUI interface!!!

  4. Hello all,

    In FG-300C
    i have configured IPv6 in my WAN port and LAN port also all-to-all policy configured but i am unable to ping ISP gateway from internal network as well firewall.
    Please help me for the solution

    Thanks
    Kalidas

    1. Hey Kalidas,

      please check the following:
      – To be able to ping the firewall, you must allow “Ping” within the “IPv6 Administrative Access” section on the interface.
      – Please double check the correct IPv6 addresses configured on the interfaces.
      – Do you have the correct static IPv6 routes, especially the default route?
      – Have a look at the IPv6 neighbor cache (diagnose ipv6 neighbor-cache list) to verify whether the LAN and WAN side really gets some neighbors.
      – Verify that you have correctly configure an IPv6 policy (!) and not an IPv4 policy. (Due to the **** design of FortiGates you have two different policies for each protocol.)

      Ciao,
      Johannes

  5. How can I add an address ipv4 to a rule ipv6.
    I’m trying to replicate my policies in order to have load balance with another internet connection that uses ipv6

  6. hi,

    from ipv6 to ipv4 ?

    ipv6 -> ipv6 (fortigate)ipv4-> ipv4(router) -> internet

    How do I route? (When the gateway is ipv4.)
    Do not use policy64?

  7. Hello,
    Nice article, I’ve a question.
    I tried IPV6 6 month ago and I’ve a lot of configuration. How can I “clean” my Ipv6 section to try new configuration. I’ve 5 section “edit” Under ipv6 section and want to reset this part of configuration.

    1. Hey Jerome,

      similar to all other “edit” sections within the FortiGate CLI you can “delete” those statements. (And for “set” commands you can “unset” them.)

      For example, if you have the following:
      config ip6-prefix-list
      edit 2003:51:6012:162::/64
      –> If you are in the “config ip6-prefix-list” config path you can do the following:
      delete 2003:51:6012:162::/64

      Ciao, Johannes

  8. Hello, my device is Fortigate 92D running Fortios 6.0.4 and Fortios 5.4, there are problems in both system versions, I set IPv6 and DHCP6, the computer can not obtain IPv6 IP through DHCP6, but can pass slaac Obtain a set of IPv6 IP. If I set the IPv6 IP to the network card, the computer can’t ping the internal gateway, and I can’t connect to the external network. But the Fortigate can ping the internal gateway and the external network. My settings are as follows. Can you help me to see where the settings are wrong?

    PS: I am from Taiwan, some English is not good, please forgive me….

    wan1:
    config system interface
    edit “wan1”
    set vdom “root”
    set ip 211.***.***.*** 255.255.255.0
    set type physical
    set estimated-upstream-bandwidth 40000
    set estimated-downstream-bandwidth 100000
    set role wan
    set snmp-index 1
    config ipv6
    set ip6-address 2001:b030:****:****::1/64
    end
    next
    end

    internal:
    config system interface
    edit “internal”
    set vdom “root”
    set ip 192.168.1.1 255.255.255.0
    set allowaccess ping https ssh http fgfm capwap
    set type hard-switch
    set device-identification enable
    set device-identification-active-scan enable
    set role lan
    set snmp-index 5
    config ipv6
    set ip6-address 2001:b030:****:****::1/64
    set ip6-allowaccess ping https ssh http fgfm capwap
    set dhcp6-information-request enable
    set ip6-send-adv enable
    set ip6-other-flag enable
    config ip6-prefix-list
    edit 2001:b030:****:****::/64
    set autonomous-flag enable
    set onlink-flag enable
    next
    end
    end
    next
    end

    dhcp6:
    config system dhcp6 server
    edit 1
    set lease-time 86400
    set subnet 2001:b030:****:****::/64
    set interface “internal”
    config ip-range
    edit 1
    set start-ip 2001:b030:****:****::2
    set end-ip 2001:b030:****:****::200
    next
    end
    set dns-server1 2001:b000:168::1
    set dns-server2 2001:b000:168::2
    set dns-server3 2001:4860:4860::8888
    next
    end

    1. Hello cf,

      I am sorry, but I cannot troublehsoot your issue remotely. Please open a ticket at Fortinet for further troubleshooting.

      Try to capture the RAs from the FortiGate and analyze them in Wireshark. Have a look at the flags (A, O, M, etc.). Are they correctly set according to your setup?
      You can also try different clients. Windows/Android/iOS behave differently when it comes to SLAAC vs. stateful DHCPv6.

      Cheers,
      Johannes

Leave a Reply

Your email address will not be published. Required fields are marked *