IPv6 Policy

IPv6 Policy

To configure a IPv6 policy in the GUI

  1. Go to Policy & Objects > IPv6 Policy

The right side window will display a table of the existing IPv6 Policies.

  • To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.
  1. Make sure the policy has a name in the Name field
  2. Set the Incoming Interface parameter by selecting the field with the “+” next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and Zones.
  3. Set the Outgoing Interface parameter by selecting the field with the “+” next to the field label. (Same rules apply as with the above step.)
  4. Set the Source parameter by selecting the field with the “+” next to the field label. The source in this case is either the source address, source user or source device of the initiating traffic. When the field is selected a window will slide out from the right. Tabs indicating Address, User or Device options are there to help categorize the options along with the option to search. In order to be able to select one of these options it needs to be configured as a

IPv6

firewall object before hand. The “+” icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. For the Address and Device tabs, single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.

  1. Set the Destination Address parameter by selecting the field with the “+” next to the field label. This field is similar to the Source field but address objects are the only available options to select. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  2. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The “+” icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
  3. Set the Service parameter by selecting the field with the “+” next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  4. Set the Action Select one of the following options for the action:
    • ACCEPT – lets the traffic through to the next phase of analysis l DENY – drops the session

While there are not as many Action options as with the IPv4 policy, because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

  1. Set the NAT parameter by toggling the slider button.(gray means it is disabled)
  2. Set the IP Pool Configuration by selection one of the options of:
    • Use Outgoing Interface Address l Use Dynamic IP Pool

If the Use Dynamic IP Pool option is selected:

  • An additional field will appear with the + Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the “+” icon next to the Search field is a shortcut for creating a new IP Pool.
  • An additional option to Preserve the Source Port will appear as a toggle option. If the slider button is grayed out it is disabled.

Security Profiles

  1. Enabling the Use Security Profile Group option will allow the selection of a profile group instead of selecting the individual profiles for the policy.
  2. Disable or enable the various Security Profiles. Once a Profile has been toggled into the enabled mode a drop down menu will appear for the purpose of choosing a specific profile. Only one profile can be chosen for each profile type. The “+” icon next to the Search field in the drop down menu is a shortcut for creating a new profile. The list of Security Profiles available to set includes:
    • AntiVirus l Web Filter l Application Control

NAT64

IPS

Anti-Spam

DLP Sensor

VoIP l ICAP

Logging Options

  1. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.

Settings if the DENY action is selected

Enable the Log Violation Traffic setting by toggling the slider button.

  1. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
  2. Toggle whether or not to Enable this policy.The default is enabled.
  3. Select the OK button to save the policy.
This entry was posted in FortiOS 5.6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.