IPv6 in FortiOS

IPv6 in FortiOS

From an administrative point of view IPv6 works almost the same as IPv4 in FortiOS. The primary differences are the use of IPv6 format for addresses and fewer address types for IPv6. There is also no need for NAT if the FortiGate firewall is the interface between IPv6 networks. If the subnets attached to the FortiGate firewall are IPv6 and IPv4 NAT can be configured between the 2 different formats. This will involve either configuring a dual stack routing or IPv4 tunneling configuration. The reason for this is simple. NAT was developed primarily for the purpose of extending the number of usable IPv4 addresses. IPv6’s addressing allows for enough available addresses so the NAT is no longer necessary.

When configuring IPv6 in FortiOS, you can create a dual stack route or IPv4-IPv6 tunnel. A dual stack routing configuration implements dual IP layers, supporting both IPv4 and IPv6, in both hosts and routers. An IPv4-IPv6 tunnel is essentially similar, creating a tunnel that encapsulates IPv6 packets within IPv4 headers that carry these IPv6 packets over IPv4 tunnels. The FortiGate unit can also be easily integrated into an IPv6 network. Connecting the FortiGate unit to an IPv6 network is exactly the same as connecting it to an IPv4 network, the only difference is that you are using IPv6 addresses.

By default the IPv6 settings are not displayed in the Web-based Manager. It is just a matter of enabling the display of these feature to use them through the web interface. To enable them just go to System > Feature

Select and select IPv6. Once enabled, you will be able to use IPv6 addresses as well as the IPv4 addressing for the following FortiGate firewall features:

  • Static routing l Policy Routing l Packet and network sniffing l Dynamic routing (RIPv6, BGP4+, and OSPFv3) l IPsec VPN l DNS l DHCP l SSL VPN
  • Network interface addressing l Security Profiles protection l Routing access lists and prefix lists l NAT/Route and transparent mode l NAT 64 and NAT 66
  • IPv6 tunnel over IPv4 and IPv4 tunnel over IPv6 l Logging and reporting l Security policies
  • SNMP
  • Authentication l Virtual IPs and groups l IPv6 over SCTP
  • IPv6-specific troubleshooting, such as ping6

 

IPv6 features

In order to configure IPv6 features using the web-based manager, IPv6 must be enabled using Feature Select. Go to System > Config > Features, enable IPv6, and click Apply.

The following IPv6 features are available from the FortiOS web manager:

IPv6 policies

IPv6 security policies are created both for an IPv6 network and a transitional network. A transitional network is a network that is transitioning over to IPv6 but must still have access to the Internet or must connect over an IPv4 network.

These policies allow for this specific type of traffic to travel between the IPv6 and IPv4 networks. The IPv6 options for creating these policies is hidden by default. You must enable this feature under System > Config > Features.

IPv6 policy route

IPv6 policy routing

IPv6 policy routing functions in the same was as IPv4 policy routing. To add an IPv6 policy route, go to Network > Policy Routes and select Create New > IPv6 Policy Route.

Adding an IPv6 Policy route

You can also use the following command to add IPv6 policy routes:

config router policy6 edit 0 set input-device <interface> set src <ipv6_ip> set dst <ipv6_ip> set protocol <0-255> set gateway <ipv6_ip> set output-device <interface> set tos <bit_pattern> set tos-mask <bit_mask>

end

IPv6 security policies

IPv6 security policies support all the features supported by IPv4 security policies:

  • Policy types and subtypes. l NAT support including using the destination interface IP address, fixed port, and dynamic IP pools. l All security features (antivirus, web filtering, application control, IPS, email filtering, DLP, VoIP, and ICAP).
  • All traffic shaping options, including: shared traffic shaping, reverse shared traffic shaping, and per-IP traffic shaping. l All user and device authentication options.

IPv6 explicit web proxy

You can use the explicit web proxy for IPv6 traffic. To do this you need to:

l Enable the IPv6 explicit web proxy from the CLI. l Enable the explicit web proxy for one or more FortiGate interfaces. These interfaces also need IPv6 addresses. l Add IPv6 web proxy security policies to allow the explicit web proxy to accept IPv6 traffic.

Use the following steps to set up a FortiGate unit to accept IPv6 traffic for the explicit web proxy at the Internal interface and forward IPv6 explicit proxy traffic out the wan1 interface to the Internet.

  1. Enter the following CLI command to enable the IPv6 explicit web proxy:

config web-proxy explicit set status enable set ipv6-status enable

end

  1. Go to Network > Interfaces and edit the internal interface, select Enable Explicit Web Proxy and select OK.
  2. Go to Policy & Objects > Proxy Policy and select Create New to add an IPv6 explicit web proxy security policy with the following settings shown.

This IPv6 explicit web proxy policy allows traffic from all IPv6 IP addresses to connect through the explicit web proxy and through the wan1 interface to any IPv6 addresses that are accessible from the wan1 interface.

Example IPv6 Explicit Web Proxy security policy

Restricting the IP address of the explicit IPv6 web proxy

You can use the following command to restrict access to the IPv6 explicit web proxy using only one IPv6 address. The IPv6 address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit web proxy is enabled on an interface with multiple IPv6 addresses.

For example, to require users to connect to the IPv6 address 2001:db8:0:2::30 to connect to the explicit IPv6 HTTP proxy, use the following command:

config web-proxy explicit set incoming-ipv6 2001:db8:0:2::30 end

Restricting the outgoing source IP address of the IPv6 explicit web proxy

You can use the following command to restrict the source address of outgoing web proxy packets to a single IPv6 address. The IP address that you specify must be the IPv6 address of an interface that the explicit HTTP proxy is enabled on. You might want to use this option if the explicit HTTP proxy is enabled on an interface with multiple IPv6 addresses.

For example, to restrict the outgoing packet source address to 2001:db8:0:2::50:

config http-proxy explicit set outgoing-ip6 2001:db8:0:2::50

end

VIP64

VIP64 policies can be used to configure static NAT virtual IPv6 address for IPv4 addresses. VIP64 can be configured from the CLI using the following commands:

config firewall vip64 edit <zname_str> set arp-reply {enable | disable} set color <color_int> set comment <comment_str> set extip <address_ipv6>[-address_ipv6] set extport <port_int> set id <id_num_str>

set mappedip [<start_ipv4>-<end_ipv4>] set mappedport <port_int> set portforward {enable | disable} set src-filter <addr_str>

end

VIP64 CLI Variables and Defaults

Variable Description Default
<zname_str> Enter the name of this virtual IP address. No default.
arp-reply

{enable | disable}

Select to respond to ARP requests for this virtual IP address. enable
color <color_int> Enter the number of the color to use for the group icon in the web-based manager. 0
comment <comment_str> Enter comments relevant to the configured virtual IP. No default.

 

Variable Description Default
extip <address_ipv6>[address_ipv6] Enter the IP address or address range on the external interface that you want to map to an address or address range on the destination network.

If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to ::.

::
extport <port_int> Enter the external port number that you want to map to a port number on the destination network.

This option only appears if portforward is enabled.

If portforward is enabled and you want to configure a static NAT virtual IP that maps a range of external port numbers to a range of destination port numbers, set extport to the first port number in the range. Then set mappedport to the start and end of the destination port range. The FortiGate unit automatically calculates the end of the extport port number range.

0
id <id_num_str> Enter a unique identification number for the configured virtual IP. Not checked for uniqueness. Range 0 – 65535. No default.
Variable Description Default
mappedip

[<start_ipv4>-<end_ ipv4>]

Enter the IP address or IP address range on the destination network to which the external IP address is mapped.

If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

If mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-tomany mapping.

0.0.0.0
mappedport <port_int> Enter the port number on the destination network to which the external port number is mapped.

You can also enter a port number range to forward packets to multiple ports on the destination network.

For a static NAT virtual IP, if you add a map to port range the FortiGate unit calculates the external port number range.

0
portforward

{enable | disable}

Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport. disable
src-filter <addr_str> Enter a source address filter. Each address must be in the form of an IPv4 subnet (x:x:x:x:x:x:x:x/n). Separate addresses with spaces. null

VIP46 policies can be used to configure static NAT virtual IPv4 address for IPv6 addresses. VIP46 can be configured from the CLI using the following commands (see the table below for variable details):

config firewall vip46 edit <name_str>

set arp-reply {enable | disable} set color <color_int> set comment <comment_str> set extip <address_ipv4>[-address_ipv4] set extport <port_int>

set id <id_num_str> set mappedip [<start_ipv6>-<end_ipv6>] set mappedport <port_int> set portforward {enable | disable} set src-filter <add_str>

end

VIP46 CLI Variables and Defaults

Variable Description Default
<name_str> Enter the name of this virtual IP address. No default.
arp-reply

{enable | disable}

Select to respond to ARP requests for this virtual IP address. enable
color <color_int> Enter the number of the color to use for the group icon in the web-based manager. 0
comment <comment_str> Enter comments relevant to the configured virtual IP. No default.
extip <address_ipv4>[address_ipv4] Enter the IP address or address range on the external interface that you want to map to an address or address range on the destination network.

If mappedip is an IP address range, the FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

To configure a dynamic virtual IP that accepts connections destined for any IP address, set extip to 0.0.0.0.

0.0.0.0

 

Variable Description Default
extport <port_int> Enter the external port number that you want to map to a port number on the destination network.

This option only appears if portforward is enabled.

If portforward is enabled and you want to configure a static NAT virtual IP that maps a range of external port numbers to a range of destination port numbers, set extport to the first port number in the range. Then set mappedport to the start and end of the destination port range. The FortiGate unit automatically calculates the end of the extport port number range.

0
id <id_num_str> Enter a unique identification number for the configured virtual IP. Not checked for uniqueness. Range 0 – 65535. No default.
mappedip

[<start_ipv6>-<end_ ipv6>]

Enter the IP address or IP address range on the destination network to which the external IP address is mapped.

If mappedip is an IP address range, the

FortiGate unit uses extip as the first IP address in the external IP address range, and calculates the last IP address required to create an equal number of external and mapped IP addresses for one-to-one mapping.

If mappedip is an IP address range, the FortiGate unit uses extip as a single IP address to create a one-tomany mapping.

::
Variable Description Default
mappedport <port_int> Enter the port number on the destination network to which the external port number is mapped.

You can also enter a port number range to forward packets to multiple ports on the destination network.

For a static NAT virtual IP, if you add a map to port range the FortiGate unit calculates the external port number range.

0
portforward

{enable | disable}

Select to enable port forwarding. You must also specify the port forwarding mappings by configuring extport and mappedport. disable
src-filter <addr_str> Enter a source address filter. Each address must be in the form of an IPv4 subnet (x.x.x.x/n). Separate addresses with spaces. null

IPv6 network address translation

NAT66, NAT64, and DNS64 are now supported for IPv6. These options provide IPv6 NAT and DNS capabilities withIPv6-IPv4 tunneling or dual stack configurations. The commands are available only in the CLI.

Fortinet supports all features described in RFC 6146. However, for DNS64 there is no support for handling Domain Name System Security Extensions (DNSSEC). DNSSEC is for securing types of information that are provided by the DNS as used on an IP network or networks. You can find more information about DNS64 in RFC 6147.

NAT64 and DNS64 (DNS proxy)

NAT64 is used to translate IPv6 addresses to IPv4 addresses so that a client on an IPv6 network can communicate transparently with a server on an IPv4 network.

NAT64 is usually implemented in combination with the DNS proxy called DNS64. DNS64 synthesizes AAAA records from A records and is used to synthesize IPv6 addresses for hosts that only have IPv4 addresses. ‘DNS proxy’ and ‘DNS64’ are interchangeable terms.

Example NAT64 configuration

With a NAT64 and DNS64 configuration in place on a FortiGate unit, clients on an IPv6 network can transparently connect to addresses on an IPv4 network. NAT64 and DNS64 perform the IPv4 to IPv6 transition, allowing clients that have already switched to IPv6 addresses to continue communicating with servers that still use IPv4 addresses.

To enable NAT64 and DNS64, use the following CLI commands:

Enable NAT64

config system nat64 set status enable

end

Enable the DNS proxy on the IPv6 interface

config system dns-server edit internal end

In your DHCP6 configuration, configure the IPv6 interface IP address as the DNS6 server IP address. The FortiGate will proxy DNS requests to the system DNS server.

config system dhcp6 server edit 1 set interface internal config ip-range

edit 1 set start-ip 2001:db8:1::11 set end-ip 2001:db8:1::20

end

set dns-server1 2001:db8:1::10

end

NAT64 policies

You can configure security policies for NAT64 using the web-based manager. For these options to appear, the feature must be enabled using System > Feature Visibility. You can then configure the policies under Policy & Objects > NAT64 Policy.

NAT64 policies and can also be configured from the CLI using the following command: config firewall policy64

In the following section, you will configure a NAT64 policy that allows connections from an internal IPv6 network to an external IPv4 network.

Configuring NAT64 to allow a host on the IPv6 network to connect to the Internet server

In this example, the Internal IPv6 network address is 2001:db8:1::/48 and the external IPv4 network address is 172.20.120.0/24. NAT64 is configured to allow a user on the internal network to connect to the server at IPv4 address 172.20.120.12. In this configuration, sessions exiting the wan1 interface must have their source address changed to an IPv4 address in the range 172.20.120.200 to 172.20.120.210.

Enter the following command to enable NAT64:

config system nat64 set status enable

end

Enabling NAT64 with the config system nat64 command means that all IPv6 traffic received by the current VDOM can be subject to NAT64 if the source and destination address matches an NAT64 security policy.

By default, the setting always-synthesize-aaaa-record is enabled. If you disable this setting, the DNS proxy (DNS64) will attempt to find an AAAA records for queries to domain names and therefore resolve the host names to IPv6 addresses. If the DNS proxy cannot find an AAAA record, it synthesizes one by adding the NAT64 prefix to the A record.

By using the nat64-prefix option of the config system nat64 command to change the default nat64 prefix from the well-known prefix of 64:ff9b::/96 and setting always-synthesize-aaaa-record to enable (default), the DNS proxy does not check for AAAA records but rather synthesizes AAAA records.

As an alternative to the above entry, there is the optional configuration that would allow the resolution of CNAME queries.

config system nat64 set status enable set nat64-prefix 64:ff9b::/96 set always-synthesize-aaaa-record enable

end

Enter the following command to add an IPv6 firewall address for the internal network:

config firewall address6 edit internal-net6 set ip6 2001:db8:1::/48

end

Enter the following command to add an IPv4 firewall address for the external network:

config firewall address edit external-net4 set subnet 172.20.120.0/24 set associated-interface wan1

end

Enter the following command to add an IP pool containing the IPv4 address that the should become the source address of the packets exiting the wan1 interface:

config firewall ippool

edit exit-pool4 set startip 172.20.120.200 set endip 172.20.120.210

end

Enter the following command to add a NAT64 policy that allows connections from the internal IPv6 network to the external IPv4 network:

config firewall policy64 edit 0 set srcintf internal set srcaddr internal-net6 set dstintf wan1 set dstaddr external-net4 set action accept set schedule always set service ANY set logtraffic enable set ippool enable set poolname exit-pool4

end

The srcaddr can be any IPv6 firewall address and the dstaddr can be any IPv4 firewall address.

Other NAT64 policy options include fixedport, which can be used to prevent NAT64 from changing the destination port. You can also configure traffic shaping for NAT64 policies.

How a host on the internal IPv6 network communicates with example.server.com that only has IPv4 address on the Internet

  1. The host on the internal network does a DNS lookup for example.server.com by sending a DNS query for an AAAA record for example.server.com.
  2. The DNS query is intercepted by the FortiGate DNS proxy.
  3. The DNS proxy attempts to resolve the query with a DNS server on the Internet and discovers that there are no AAAA records for example.server.com.
  4. The previous step is skipped if always-synthesize-aaaa-record is enabled.
  5. The DNS proxy performs an A-record query for example.server.com and gets back an RRSet containing a single A record with the IPv4 address 172.20.120.12.
  6. The DNS proxy then synthesizes an AAAA record. The IPv6 address in the AAAA record begins with the configured NAT64 prefix in the upper 96 bits and the received IPv4 address in the lower 32 bits. By default, the resulting IPv6 address is 64:ff9b::172.20.120.12.
  7. The host on the internal network receives the synthetic AAAA record and sends a packet to the destination address 64:ff9b::172.20.120.12.
  8. The packet is routed to the FortiGate internal interface where it is accepted by the NAT64 security policy.
  9. The FortiGate unit translates the destination address of the packets from IPv6 address 64:ff9b::172.20.120.12 to IPv4 address 172.20.120.12 and translates the source address of the packets to 172.20.120.200 (or another address in the IP pool range) and forwards the packets out the wan1 interface to the Internet.

NAT66

NAT66 is used for translating an IPv6 source or destination address to a different IPv6 source or destination address. NAT66 is not as common or as important as IPv4 NAT, as many IPv6 addresses do not need NAT66 as much as IPv4 NAT. However, NAT66 can be useful for a number of reasons. For example, you may have changed the IP addresses of some devices on your network but want traffic to still appear to be coming from their old addresses. You can use NAT66 to translate the source addresses of packets from the devices to their old source addresses.

In FortiOS, NAT66 options can be added to an IPv6 security policy from the CLI. Configuring NAT66 is very similar to configuring NAT in an IPv4 security policy. For example, use the following command to add an IPv6 security policy that translates the source address of IPv6 packets to the address of the destination interface (similar to IPv4 source NAT:

config firewall policy6 edit 0 set srcintf internal set dstintf wan1 set srcaddr internal_net set dstaddr all set action accept set schedule always set service ANY set nat enable

end

Its also can be useful to translate one IPv6 source address to another address that is not the same as the address of the exiting interface. You can do this using IP pools. For example, enter the following command to add an IPv6 IP pool containing one IPv6 IP address:

config firewall ippool6 edit example_6_pool set startip 2001:db8::

set endip 2001:db8:: end

Enter the following command to add an IPv6 firewall address that contains a single IPv6 IP address.

config firewall address6 edit device_address set ip6 2001:db8::132/128

end

Enter the following command to add an IPv6 security policy that accepts packets from a device with IP address 2001:db8::132 and translates the source address to 2001:db8::.

config firewall policy6 edit 0 set srcintf internal set dstintf wan1 set srcaddr device_address set dstaddr all set action accept set schedule always set service ANY set nat enable set ippool enable set poolname example_6_pool end

NAT66 destination address translation

NAT66 can also be used to translate destination addresses. This is done in an IPv6 policy by using IPv6 virtual IPs. For example, enter the following command to add an IPv6 virtual IP that maps the destination address 2001:db8::dd to 2001:db8::ee.

config firewall vip6 edit example-vip6 set extip 2001:db8::dd set mappedip 2001:db8::ee

end

Enter the following command to add an IPv6 security policy that accepts packets with a destination address 2001:db8::dd and translates that destination address to 2001:db8::ee.

config firewall policy6 edit 0 set srcintf internal set dstintf wan1 set srcaddr all set dstaddr example-vip6 set action accept set schedule always set service ANY

end

NAT64 and NAT66 session failover

The FortiGate Clustering Protocol (FGCP) supports IPv6, NAT64, and NAT66 session failover. If session pickup is enabled, these sessions are synchronized between cluster members and, after an HA failover, the sessions will resume with only minimal interruption.

NAT46

NAT46 is used to translate IPv4 addresses to IPv6 addresses so that a client on an IPv4 network can communicate transparently with a server on an IPv6 network.

To enable NAT46, use the following CLI command:

config firewall vip46

NAT46 policies

Security policies for NAT46 can be configured from the web-based manager. For these options to appear in the web-based manager, this feature must be enabled using System > Feature Visibility. You can then configure the policies under Policy & Objects > NAT46 Policy.

NAT46 policies and can also be configured from the CLI using the following command:

config firewall policy46

IPv6 tunneling

IPv6 Tunneling is the act of tunneling IPv6 packets from an IPv6 network through an IPv4 network to another IPv6 network. This is different than Network Address Translation (NAT) because once the packet reaches its final destination the true originating address of the sender will still be readable. The IPv6 packets are encapsulated within packets with IPv4 headers, which carry their IPv6 payload through the IPv4 network. This type of configuration is more appropriate for those who have completely transitional over to IPv6, but need an Internet connection, which is still mostly IPv4 addresses.

The key to IPv6 tunneling is the ability of the 2 devices, whether they are a host or a network device, to be dual stack compatible. They have to be able to work with both IPv4 and IPv6 at the same time. In the process the entry node of the tunnel portion of the path will create an encapsulating IPv4 header and transmit the encapsulated packet. The exit node at the end of the tunnel receives the encapsulated packet. The IPv4 header is removed.

The IPv6 header is updated and the IPv6 packet is processed.

There are two types of tunnels in IPv6:

Automatic tunnels Automatic tunnels are configured by using IPv4 address information embedded in an IPv6 address – the IPv6 address of the destination host includes information about which IPv4 address the packet should be tunneled to.
Configured tunnels Configured tunnels must be configured manually. These tunnels are used when using IPv6 addresses that do not have any embedded IPv4 information. The IPv6 and IPv4 addresses of the endpoints of the tunnel must be specified.

Tunnel configurations

There are a few ways in which the tunneling can be performed depending on which segment of the path between the end points of the session the encapsulation takes place.

Network Device to Network Device Dual stack capable devices connected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans one segment of the path taken by the IPv6 packets.
Host to Network Device Dual stack capable hosts can tunnel IPv6 packets to an intermediary IPv6 or IPv4 network device that is reachable through an IPv4 infrastructure. This type of tunnel spans the first segment of the path taken by the IPv6 packets.
Host to Host Dual stack capable hosts that are interconnected by an IPv4 infrastructure can tunnel IPv6 packets between themselves. In this case, the tunnel spans the entire path taken by the IPv6 packets.
Network Device to Host Dual stack capable network devices can tunnel IPv6 packets to their final destination IPv6 or IPv4 host. This tunnel spans only the last segment of the path taken by the IPv6 packets.

Regardless of whether the tunnel starts at a host or a network device, the node that does the encapsulation needs to maintain soft state information, such as the maximum transmission unit (MTU), about each tunnel in order to process the IPv6 packets.

Use the following command to tunnel IPv6 traffic over an IPv4 network. The IPv6 interface is configured under config system interface. The command to do the reverse is config system ipv6-tunnel. These commands are not available in transparent mode.

config system sit-tunnel edit <tunnel name> set destination <tunnel _address> set interface <name>

 

set ip6 <address_ipv6> set source <address_ipv4>

end

Variable Description Default
edit <tunnel_name> Enter a name for the IPv6 tunnel. No default.
destination <tunnel_ address> The destination IPv4 address for this tunnel. 0.0.0.0
interface <name> The interface used to send and receive traffic for this tunnel. No default.
ip6 <address_ipv6> The IPv6 address for this tunnel. No default.
source <address_ipv4> The source IPv4 address for this tunnel. 0.0.0.0
This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.