ipv6 fortigate style

This post talks about ipv6 setup for a typical ipv6-intf and setting  route-advertisements ( RAs ),
in this case I'm using a  fortigate FGT200A but the setup will be the same for  any version 4 fortigate firewall. I will show a example of my configuration

The systems specs are;


FG200A2106401308 # get sys status
Version: Fortigate-200A v4.0,build0646,121119 (MR3 Patch 11)
Virus-DB: 14.00000(2011-08-24 17:17)
IPS-DB: 3.00150(2012-02-15 23:15)
FortiClient application signature package: 1.131(2012-11-19 18:33)
Serial-Number: FG200A2106401308
BIOS version: 04000000
Log hard disk: Not available
Hostname: FG200A2106401308
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 646
Release Version Information: MR3 Patch 11
System time: Tue Dec  4 18:07:40 2012

So when configuration of the  ipv6,  you can set the  ipv6 address within the WebUI interface but all other  settings are typicall set from the cli.

To configure ipv6,  you  have  to enter a sub-config area called config ipv6, and within this sub-area, you can do the following;

• enable ipv6
• enable ipv6 alllowaccess for management function
• set ipv6 RA announcements and values

RA allows for SLAAC configurations for any  ipv6 enable hosts, and must be configured for  SLAAC operations to commence. To start, you need to identify the interface(s) that will be ipv6 enable. In my case, I'm using the internal switch interface , known simply as "internal"

So I've highlighted the configurations details that pertains to ipv6 functions;


 edit "internal"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh
        set type physical
        set alias "inside"
            config ipv6
                set ip6-address 2001:11::1/64
                set ip6-allowaccess ping https ssh snmp
                    config ip6-prefix-list
                        edit 2001:11::/64
                            set autonomous-flag enable
                            set preferred-life-time 600
                            set valid-life-time 600
                        next
                    end
                set ip6-retrans-time 4000
                set ip6-send-adv enable
            end
    next

Now let's talk about these settings; the line ip6-address 2001:11::1/64 assigns the address and prefix.The next line tells us what  access is allowed for management towards this ipv6 interface { ping;https;ssh;snmp}

The next lines allows for configurations and allowance of  a ipv6 prefix announcements and the prefix for that RA. This will allow for any ipv6 host to be autconf with a ipv6 address using its oui-64 address;

e.g ( my macbook using it's systems ethernet bia, it  received the prefix and auto-assigned it's address using that burn-in-address that has been converted for the lower 64bits of the 128 bit address )

hyperfeed-MacBook:~ kenfelix1$ ifconfig en0 inet6
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
    inet6 2001:11::21f:5bff:feea:afa prefixlen 64 autoconf
hyperfeed-MacBook:~ kenfelix1$

As you can see I have a ipv6 address,  due to the  ipv6 prefix-list assignment and send-advertisements configuration.

After you configure the ipv6 interfaces, you can now craft ipv6  fwpolicies.

I hope  this quick post , helps you with ipv6 configuration in a Fortinet Fortigate firewall appliance.

Ken Felix  "freelance network and security" engineer
kfelix" @" hyperfeed dot com