IPv6 configuration

IPv6 configuration

This section contains configuration information for IPv6 on FortiOS. Attempts are made to include scenarios in each section to better assist with the configuration and to orient the information toward a particular task.

You will find information on the following:

IPv6 address groups

To create IPv6 address groups from existing IPv6 addresses – web-based manager

Your company has 3 internal servers with IPv6 addresses that it would like to group together for the purposes of a number of policies.

  1. Go to Policy & Objects > Addresses and select Create New > Address Group.
  2. Select IPv6 Group, and fill out the fields with the following information:
Group Name Web_Server_Cluster
Members Web_Server-1

Web_Server-2

Web_Server-3

  1. Select

To create IPv6 address groups from existing IPv6 addresses – CLI

config firewall addrgrp6 edit Web_Server_Cluster set member Web_Server-1 Web_Server-2 Web_Server-3 end

To verify that the addresses were added correctly

  1. Go to Policy & Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. From the CLI, enter the following commands: config firewall addgrp6 edit <the name of the address that you wish to verify> Show full-configuration

IPv6 address ranges

You can configure IPv6 address ranges in both the GUI and the CLI.

To configure IPv6 address ranges – web-based manager:

  1. Go to Policy & Objects > Addresses.
  2. Set the Type to IP Range and enter the IPv6 addresses as shown:

To configure IPv6 address ranges – CLI:

config firewall address6 edit ipv6range set type iprange set start-ip 2001:db8:0:2::30 set end-ip 2001:db8:0:2::31

end

IPv6 firewall addresses

Scenario: Mail server

You need to create an IPv6 address for the Mail Server on Port1 of your internal network. This server is on the network off of port1.

l The IP address is 2001:db8:0:2::20/128 l There should be a tag for this address being for a server.

Configuring the Example using the GUI
  1. Go to Policy & Objects > Objects > Addresses and select Create New > Address.
  2. Select IPv6 Address and fill out the fields with the following information
Name Mail_Server
Type Subnet
IPv6 Address 2001:db8:0:2::20/128
  1. Select
Configuring the Example using the CLI

Enter the following CLI command:

config firewall address6 edit Mail_Server set type ipprefix set subnet 2001:db8:0:2::20/128

end

Scenario: First floor network

You need to create an IPv6 address for the subnet of the internal network off of Port1. These computers connect to port1. The network uses the IPv6 addresses: fdde:5a7d:f40b:2e9d:xxxx:xxxx:xxxx:xxxx There should be a reference to this being the network for the 1st floor of the building.

  1. Go to Policy & Objects > Objects > Addresses
  2. Select Create New > Address.Select IPv6 Address and fill out the fields with the following information:
Name Internal_Subnet_1
Type Subnet / IP Range
IPv6 Address 2001:db8:0:2::/64
Comments Network for 1st Floor
  1. Select
  2. Enter the following CLI command:

config firewall address6 edit Internal_Subnet_1 set comment “Network for 1st Floor” set type ipprefix set subnet 2001:db8:0:2::/64 end

Scenario: Accounting team

You need to create an IPv6 address for the Accounting Team that’s on the 1st Floor. These users are off of various ports of the FortiGate, but they have all been assigned addresses between 2001:db8:0:2::2000 and 2001:db8:0:2::a000

Configuring the example using the GUI
  1. Go to Policy & Objects > Objects > Addresses and select Create New > Address. 2. Select IPv6 Address and fill out the fields with the following information
Name Accounting_Team
Type IP Range
Subnet / IP Range 2001:db8:0:2::2000-2001:db8:0:2::a000
  1. Select OK.
Configuring the Example using the CLI

Enter the following CLI command:

config firewall address6 edit Accounting_Team set type iprange set visibility enable set start-ip 2001:db8:0:2::2000 set end-ip 2001:db8:0:2::a000 end

To verify that the addresses were added correctly:

  1. Go to Policy & Objects > Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
  2. Enter the following CLI command:

config firewall address6 edit <the name of the address that you wish to verify> Show full-configuration

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.