IPv6 (5.6)

IPv6 (5.6)

New IPv6 features added to FortiOS 5.6.

FortiGate can reply to an anycast probe from the interface’s unicast address (308872)

A new setting has been added within the CLI that can enable the FortiGate to reply to an anycast probe from the FortiGate’s unicast IP address. config system global set ipv6-allow-anycast-probe [enable|disable] end

Enable: Enable probing of IPv6 address space through Anycast, by responding from the unicast IP address Disable: Disable probing of IPv6 address space through Anycast

Secure Neighbor Discovery (355946)

Additional settings have been added to the configuration for interfaces with IPv6 so that they comply more closely to the parameters of RFC 3971

The context of the new settings is

config system interface edit <interface> config ipv6 The new options with IPv6 are:

ndmode

Neighbor discovery mode set ndmode [basic | SEND]

Basic: Does not support SEND. SEND-compatible: Supports SEND.

nd-cert

Neighbor discovery certificate

set nd-cert <string of Name of certificate to be used> Example string: “Fortinet_Factory local” n-security-level

Neighbor discovery security level set nd-security-level <integer> IPv6

  • Integer values from 0 – 7 l 0 = least secure l 7 = most secure l default = 0 nd-timestamp-delta

Neighbor discovery timestamp delta value set nd-timestamp-delta <integer of time in seconds>

  • Range: 1 – 3600 sec l default = 300 nd-timestamp-fuzz

Neighbor discovery timestamp fuzz factor set nd-timestamp-fuzz <integer of time in seconds>

  • Range: 1 – 60 sec l default = 1

Additional related technical information Kerenl l Redirects ICMPv6 packets to user space if they require SEND options verification or build.

Radvd

  • Verifies NS/RS SEND options including CGA, RSA, Timestamp, NONCE, etc. Daemon also creates neighbor cache for future timestamp checking, any entry gets flushed in 4 hours.
  • Helps kernel build NA/RA SEND options including CGA, RSA, Timestamp, NONCE, etc. CGA parameters are kept in cache for each interface. CGA modifier is kept in CMDB.

Diagnose command for radvd diag test application radvd

  • Shows statistics l Toggles message dump

Add multicast-PMTU to allow FGT to send ICMPv6 Too Big Message (373396)

New multicast-PMTU feature added to better comply with RFC 4443.

Normally, a “Packet Too Big” icmp6 message is sent by a routing device in response to a packet that it cannot forward because the packet is larger than the MTU of the outgoing link. For security reasons, these message may be disabled because attackers can use the information about a victim’s ip address as the source address to do IP address spoofing.

IPv6 (5.6)

In FortiOS’s implementation of this function, a setting in the CLI, has been added to make this behavior optional on the FortiGate.

The syntax for the option is:

config router multicast6 set multicast-PMTU [enable|disable] end

 

Logging and Reporting (5.6.1)

This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.