IPv6 addresses

IPv6 addresses

When creating an IPv6 address there are a number of different types of addresses that can be specified. These include:

l Subnet l IP Range – the details of this type of address are the same as the IPv4 version of this type l IPv6 FQDN firewall addresses – similar to the IPv4 version.

The IPv6 addresses don’t yet have the versatility of the IPv4 address in that they don’t have things like geography based addresses, but as IPv6 becomes more mainstream this should change.

Subnet addresses

The Subnet Address type is one that is only used in reference to IPv6 addresses.It represents an IPv6 address subnet. This means that the address will likely be a series of hexadecimal characters followed by a double colon, followed by a “/”, and then a number less than 128 to indicate the size of the subnet. An example would be:

fd5e:3c59:35ce:f67e::/64

  • The hexidecimal characters represent the IPv6 subnet address.
  • The “::” indicates 0’s from that point to the left. In an actual address for a computer, the hexadecimal characters that would take the place of these zeros would represent the device address on the subnet.
  • /xx, in this case /64 represents the number of bits in the subnet.This will make a range that can potentially include

18,446,744,073,709,551,616 addresses. For those wanting to use English rather than math, that is 18 Quintillion.

Creating a subnet address

  1. Go to Policy & Objects > Addresses.
  2. Select Create New. A drop down menu is displayed. Select Address
  3. In the Category field, chose IPv6 Address.
  4. Input a Name for the address object.
  5. In the Type field, select Subnet from the drop down menu.
  6. In the Subnet / IP Range field, enter the range of addresses in IPv6 format (no spaces)
  7. Select the desired on/off toggle setting for Show in Address List. If the setting is enabled the address will appear in drop down menus where it is an option.
  8. Input any additional information in the Comments
  9. Press

Example

Example of a IP Range address for a group of computers set aside for guests on the company network.

Field Value
Category IPv6 Address
Name IPv6_Guest_user_range
Type Subnet
Subnet / IP Range fd5e:3c59:35ce:f67e::/64
Show in Address List [on]
Comments  

IPv6 FQDN firewall addresses

FQDN firewall addresses can be configured for IPv6.

Syntax in CLI

config firewall address6 edit <address_name> set type fqdn set fqdn <domain_name>

set cache-ttl <integer value from 0 to 86400> end

Firewall IPv6 address templates

You can use the IPv6 address templates to create new IPv6 addresses that share a prefix. Using templates for addresses reduces the chance of configuring an incorrect address due to a typographical error.

l A standard IPv6 address can be divided into three parts:

[IPv6 network prefix] + [subnet segments] + [host address] l The subnet segments can be split into multiple 4-bit blocks called nibbles l Each subnet segments represent different geographical or organizational parts of the network. They are represented by 1 or more nibbles.

Example of a prefix:

2001:db8:1234:0000::/64

Section Description
yellow

The            highlighted characters

Prefix (48 bits)
green

The           highlighted characters (zeros)

Place holder for the subnet segments (16 bits)
red

The        highlighted characters

Subnet mask

The 16 bits that make up the subnet segments can be more granular.

Example: 0011 1111 0000 1101

Segment Binary Hexadecimal
Site 0011 0x3
Subsite 1111 0xf
Subnet 0000 1101 0x0d

The resulting network portion of the address is:

2001:db8:1234:3f0d::/64

By changing the mask, the subnet segment could be increased.

0000

2001:db8:1234:      0000::/48

0000 0000

2001:db8:1234:           0000::/32

This makes more options available for the configuration of the subnet segments. Below is an example of a very basic template:

Using that template, you can see how the GUI could be used to quickly create address objects.

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.