ICMPv6

The IT Manager is doing some diagnostics and would like to temporarily block the successful replies of ICMP Node information Responses between 2 IPv6 networks.

The ICMP type for ICMP Node information responses is 140. The codes for a successful response is 0.

To configure ICMPv6 – web-based manager:

1. Go to Policy & Objects > Services and select Create New > Service. 2. Fill out the fields with the following information

Name	diagnostic-test1
Service Type	Firewall
Show in Service List	Enabled
Category	Uncategorized
Protocol Type	ICMP6
Type	140

3. Select
4. Enter the following CLI command:

config firewall service custom edit diagnostic-test1 set protocol ICMP6 set icmptype 140 set icmpcode 0 set visibility enable

end

To verify that the category was added correctly:

1. Go to Policy & Objects > Services. Check that the services have been added to the services list and that they are correct.
2. Enter the following CLI command:

config firewall service custom edit <the name of the service that you wish to verify> show full-configuration

IPv6 SSH

FortiGate supports SSH traffic through IPv6. When the proxy option is set to ssh in a proxy policy, IPv6 source and destination address options become available and SSH profiles can be assigned to IPv6 firewall policies.

Syntax in IPv6 firewall policy

config firewall policy6 edit 1 set utm-status enable set ssh-filter-profile <example> end

Syntax in proxy policy

config firewall proxy-policy edit 1 set proxy ssh set srcaddr6 “all” set dstaddr6 “all” end

Logging

When a proxy policy is being used, SSH traffic logs are generated by wad instead of the kernel.

IPv6 configuration

This section contains configuration information for IPv6 on FortiOS. Attempts are made to include scenarios in each section to better assist with the configuration and to orient the information toward a particular task.

You will find information on the following:

IPv6 address groups

To create IPv6 address groups from existing IPv6 addresses – web-based manager

Your company has 3 internal servers with IPv6 addresses that it would like to group together for the purposes of a number of policies.

1. Go to Policy & Objects > Addresses and select Create New > Address Group.
2. Select IPv6 Group, and fill out the fields with the following information:

Group Name	Web_Server_Cluster
Members	Web_Server-1 Web_Server-2 Web_Server-3

3. Select

To create IPv6 address groups from existing IPv6 addresses – CLI

config firewall addrgrp6 edit Web_Server_Cluster set member Web_Server-1 Web_Server-2 Web_Server-3 end

To verify that the addresses were added correctly

1. Go to Policy & Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
2. From the CLI, enter the following commands: config firewall addgrp6 edit <the name of the address that you wish to verify> Show full-configuration

IPv6 address ranges

You can configure IPv6 address ranges in both the GUI and the CLI.

To configure IPv6 address ranges – web-based manager:

1. Go to Policy & Objects > Addresses.
2. Set the Type to IP Range and enter the IPv6 addresses as shown:

To configure IPv6 address ranges – CLI:

config firewall address6 edit ipv6range set type iprange set start-ip 2001:db8:0:2::30 set end-ip 2001:db8:0:2::31

end

IPv6 firewall addresses

Scenario: Mail server

You need to create an IPv6 address for the Mail Server on Port1 of your internal network. This server is on the network off of port1.

l The IP address is 2001:db8:0:2::20/128 l There should be a tag for this address being for a server.

Configuring the Example using the GUI

1. Go to Policy & Objects > Objects > Addresses and select Create New > Address.
2. Select IPv6 Address and fill out the fields with the following information

Name	Mail_Server
Type	Subnet
IPv6 Address	2001:db8:0:2::20/128

3. Select

Configuring the Example using the CLI

Enter the following CLI command:

config firewall address6 edit Mail_Server set type ipprefix set subnet 2001:db8:0:2::20/128

end

Scenario: First floor network

You need to create an IPv6 address for the subnet of the internal network off of Port1. These computers connect to port1. The network uses the IPv6 addresses: fdde:5a7d:f40b:2e9d:xxxx:xxxx:xxxx:xxxx There should be a reference to this being the network for the 1st floor of the building.

1. Go to Policy & Objects > Objects > Addresses
2. Select Create New > Address.Select IPv6 Address and fill out the fields with the following information:

Name	Internal_Subnet_1
Type	Subnet / IP Range
IPv6 Address	2001:db8:0:2::/64
Comments	Network for 1st Floor

3. Select
4. Enter the following CLI command:

config firewall address6 edit Internal_Subnet_1 set comment “Network for 1st Floor” set type ipprefix set subnet 2001:db8:0:2::/64 end

Scenario: Accounting team

You need to create an IPv6 address for the Accounting Team that’s on the 1st Floor. These users are off of various ports of the FortiGate, but they have all been assigned addresses between 2001:db8:0:2::2000 and 2001:db8:0:2::a000

Configuring the example using the GUI

1. Go to Policy & Objects > Objects > Addresses and select Create New > Address. 2. Select IPv6 Address and fill out the fields with the following information

Name	Accounting_Team
Type	IP Range
Subnet / IP Range	2001:db8:0:2::2000-2001:db8:0:2::a000

3. Select OK.

Configuring the Example using the CLI

Enter the following CLI command:

config firewall address6 edit Accounting_Team set type iprange set visibility enable set start-ip 2001:db8:0:2::2000 set end-ip 2001:db8:0:2::a000 end

To verify that the addresses were added correctly:

1. Go to Policy & Objects > Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
2. Enter the following CLI command:

config firewall address6 edit <the name of the address that you wish to verify> Show full-configuration

IPv6 Neighbor Discovery Proxy

This feature provides support for proxying the IPv6 Neighbor Discovery (ND) protocol to allow the forwarding of the following ICMP messages between upstream and downstream interfaces:

l Router Advertisement (RA) l Neighbor Solicitation (NS) l Neighbor Advertisement (NA) l Router Solicitation (RS) l Redirect

The Neighbor Discovery (ND) protocol is used to discover the Link Layer address of IPv6 destinations. In IPv4, this is achieved by using ARP.

Configure ND Proxy in the CLI using the following syntax:

config system nd-proxy set status {enable|disable}

set member <interface> <interface> [<interface>…] end

Option	Description
status	Enable/disable the use of neighbor discovery proxy
member	List of interfaces using the neighbor discovery proxy

 

An example of a configuration can be found in the IPv6 Configuration section under IPv6 Neighbor Discovery Proxy on page 164

FSSO

FortiGate FSSO supports connecting to an FSSO agent over IPv6 and collecting and sending IPv6 details about endpoints. This is all enforced the same way as IPv4 FSSO traffic.

CLI

config user fsso edit <fsso agent name> set source-ip6 <IPv6 address for source> end

Authentication support

RADIUS

FortiOS’s supports IPv6 RADIUS authentication. When configuring the FortiGate interface and the RADIUS server (under config system interface and config user radius respectively), the server IP address can be set as IPv6.

Captive portal

Captive portal supports IPv6. It works with remote RADIUS authentication and WiFi interfaces.

Obtaining IPv6 addresses from an IPv6 DHCP server

From the CLI, you can configure any FortiGate interface to get an IPv6 address from an IPv6 DHCP server. For example, to configure the wan2 interface to get an IPv6 address from an IPv6 DHCP server enter the following command:

config system interface edit wan2 config ipv6 set ip6-mode dhcp

end

IPv6 forwarding

Policies, IPS, Application Control, flow-based antivirus, web filtering, and DLP

FortiOS fully supports flow-based inspection of IPv6 traffic. This includes full support for IPS, application control, virus scanning, and web filtering.

To add flow-based inspection to IPv6 traffic go to Policy & Objects > IPv6 Policy and select Create New to add an IPv6 Security Policy. Configure the policy to accept the traffic to be scanned. Under Security Profiles, select the profiles to apply to the traffic.