IPv6 Tunneling Authentication Support

Authentication support

RADIUS

FortiOS’s supports IPv6 RADIUS authentication. When configuring the FortiGate interface and the RADIUS server (under config system interface and config user radius respectively), the server IP address can be set as IPv6.

Captive portal

Captive portal supports IPv6. It works with remote RADIUS authentication and WiFi interfaces.

Obtaining IPv6 addresses from an IPv6 DHCP server

Obtaining IPv6 addresses from an IPv6 DHCP server

From the CLI, you can configure any FortiGate interface to get an IPv6 address from an IPv6 DHCP server. For example, to configure the wan2 interface to get an IPv6 address from an IPv6 DHCP server enter the following command:

config system interface edit wan2 config ipv6 set ip6-mode dhcp

end

IPv6 forwarding

IPv6 forwarding

Policies, IPS, Application Control, flow-based antivirus, web filtering, and DLP

FortiOS fully supports flow-based inspection of IPv6 traffic. This includes full support for IPS, application control, virus scanning, and web filtering.

To add flow-based inspection to IPv6 traffic go to Policy & Objects > IPv6 Policy and select Create New to add an IPv6 Security Policy. Configure the policy to accept the traffic to be scanned. Under Security Profiles, select the profiles to apply to the traffic.

DHCPv6

DHCPv6

You can use DHCP with IPv6 using the CLI. To configure DHCP, ensure IPv6 is enabled by going to System > Feature Visibility and enabling IPv6.

Use the CLI command config system dhcp6

For more information on the configuration options, see the FortiGate CLI Reference.

DHCP delegated mode

Downstream IPv6 interfaces can receive address assignments on delegated subnets from a DHCP server that serves an upstream interface.

DHCPv6-PD configuration

Enable DHCPv6 Prefix Delegation on upstream interface (port10): config system interface edit “port10” config ipv6

set dhcp6-prefix-delegation enable end

end

Assign delegated prefix on downstream interface (port1). Optionally, specific delegated prefixes can be specified: config system interface

edit “port1”

config ipv6

set ip6-mode delegated set ip6-upstream-interface “port10” set ip6-subnet ::1:0:0:0:1/64 set ip6-send-adv enable config ipv6-delegated-prefix-list edit 1

set upstream-interface “port10” set autonomous-flag enable set onlink-flag enable set subnet 0:0:0:100::/64 end end

end

DHCPv6 server configuration

Configuring a server that uses delegated prefix and DNS from upstream: config system dhcp6 server edit 1

set dns-service delegated

set interface “wan2” set upstream-interface “wan1” set ip-mode delegated set subnet 0:0:0:102::/64

end

DHCPv6 relay

You can use the following command to configure a FortiGate interface to relay DHCPv6 queries and responses from one network to a network with a DHCPv6 server and back. The command enables DHCPv6 relay and includes adding the IPv6 address of the DHCP server that the FortiGate unit relays DHCPv6 requests to:

config system interface edit internal config ipv6 set dhcp6-relay-service enable set dhcp6-relay-type regular set dhcp6-relay-ip 2001:db8:0:2::30

end

New Fortinet FortiGate IPv6 MIB fields

New Fortinet FortiGate IPv6 MIB fields

The following IPv6 MIB fields have been added to the Fortinet FortiGate MIB. These MIB entries can be used to display IPv6 session and policy statistics.

  • IPv6 Session Counters:

fgSysSes6Count fgSysSes6Rate1 fgSysSes6Rate10 fgSysSes6Rate30 fgSysSes6Rate60

  • IPv6 Policy Statistics:

fgFwPol6StatsTable fgFwPol6StatsEntry FgFwPol6StatsEntry fgFwPol6ID fgFwPol6PktCount fgFwPol6ByteCount

  • IPv6 Session Statistics:

fgIp6SessStatsTable fgIp6SessStatsEntry FgIp6SessStatsEntry fgIp6SessNumber

The fgSysSesCount and fgSysSesRateX MIBs report statistics for IPv4 plus IPv6 sessions combined. This behavior was not changed.

New OIDs

The following OIDs have been added:

FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgSystem.fgSystemInfo

.fgSysSes6Count   1.3.6.1.4.1.12356.101.4.1.15

.fgSysSesRate1    1.3.6.1.4.1.12356.101.4.1.16

.fgSysSesRate10   1.3.6.1.4.1.12356.101.4.1.17

.fgSysSesRate30   1.3.6.1.4.1.12356.101.4.1.18

.fgSysSesRate60   1.3.6.1.4.1.12356.101.4.1.19

FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables .fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ID   1.3.6.1.4.1.12356.101.5.1.2.2.1.1

.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6PktCount   1.3.6.1.4.1.12356.101.5.1.2.2.1. 2

.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ByteCount   1.3.6.1.4.1.12356.101.5.1.2.2.1 .3

FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgInetProto.fgInetProtoTables

.fgIp6SessStatsTable.fgIp6SessStatsEntry.fgIp6SessNumber 1.3.6.1.4.1.12356.101.11.2.3.1.1

EXAMPLE SNMP get/walk output

// Session6 stats excerpt from sysinfo: snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.4

FORTINET-FORTIGATE-MIB::fgSysSes6Count.0 = Gauge32: 203

FORTINET-FORTIGATE-MIB::fgSysSes6Rate1.0 = Gauge32: 10 Sessions Per Second

FORTINET-FORTIGATE-MIB::fgSysSes6Rate10.0 = Gauge32: 2 Sessions Per Second

FORTINET-FORTIGATE-MIB::fgSysSes6Rate30.0 = Gauge32: 1 Sessions Per Second

FORTINET-FORTIGATE-MIB::fgSysSes6Rate60.0 = Gauge32: 0 Sessions Per Second

// FwPolicy6 table: snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.5.1.2.2

FORTINET-FORTIGATE-MIB::fgFwPol6ID.1.3 = INTEGER: 3

FORTINET-FORTIGATE-MIB::fgFwPol6ID.1.4 = INTEGER: 4

FORTINET-FORTIGATE-MIB::fgFwPol6PktCount.1.3 = Counter64: 4329

FORTINET-FORTIGATE-MIB::fgFwPol6PktCount.1.4 = Counter64: 0

FORTINET-FORTIGATE-MIB::fgFwPol6ByteCount.1.3 = Counter64: 317776 FORTINET-FORTIGATE-MIB::fgFwPol6ByteCount.1.4 = Counter64: 0

// IP6SessNumber: snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.11.2.3.1 FORTINET-FORTIGATE-MIB::fgIp6SessNumber.1 = Counter32: 89

SIP over IPv6

SIP over IPv6

FortiOS supports Sessions Initiate Protocol (SIP) over IPv6. The SIP application-level gateway (ALG) can process SIP messages that use IPv6 addresses in the headers, bodies, and in the transport stack. The SIP ALG cannot modify the IPv6 addresses in the SIP headers so FortiGate units cannot perform SIP or RTP NAT over IPv6 and also cannot translate between IPv6 and IPv4 addresses.

In the scenario shown below, a SIP phone connects to the Internet through a FortiGate unit operating. The phone and the SIP and RTP servers all have IPv6 addresses.

The FortiGate unit has IPv6 security policies that accept SIP sessions. The SIP ALG understands IPv6 addresses and can forward IPv6 sessions to their destinations. Using SIP application control features the SIP ALG can also apply rate limiting and other settings to SIP sessions.

To enable SIP support for IPv6 add an IPv6 security policy that accepts SIP packets and includes a VoIP profile.

Tunneling IPv6 through IPsec VPN

Tunneling IPv6 through IPsec VPN

A variation on the tunneling IPv6 through IPv4 is using an IPsec VPN tunnel between to FortiGate devices. FortiOS supports IPv6 over IPsec. In this sort of scenario, 2 networks using IPv6 behind FortiGate units are separated by the Internet, which uses IPv4. An IPsec VPN tunnel is created between the 2 FortiGate units and a tunnel is created over the IPv4 based Internet but the traffic in the tunnel is IPv6. This has the additional advantage of make the traffic secure as well.

For configuration information, see IPv6 IPsec VPN on page 1.

IPv6 support for GRE tunnels

You can use IPv6 addresses can be used at both ends of a GRE tunnel in the same way as with IPv4.

The configuration is similar to how you set up the tunnel for IPv4. However, when you configure the specific tunnel, you need to set the ip-version option to 6. This will enable IPv6-specific options for the tunnel.

CLI

config system gre-tunnel edit <name of tunnel> set ip-version 6 set remote-gw6 <IPv6 address of the remote gateway> set local-gw-6 <IPv6 address of the local gateway>

end