Tuesday, December 4, 2012

ipv6 fortigate style

This post talks about ipv6 setup for a typical ipv6-intf and setting  route-advertisements ( RAs ),
in this case I'm using a  fortigate FGT200A but the setup will be the same for  any version 4 fortigate firewall. I will show a example of my configuration

The systems specs are;


FG200A2106401308 # get sys status
Version: Fortigate-200A v4.0,build0646,121119 (MR3 Patch 11)
Virus-DB: 14.00000(2011-08-24 17:17)
IPS-DB: 3.00150(2012-02-15 23:15)
FortiClient application signature package: 1.131(2012-11-19 18:33)
Serial-Number: FG200A2106401308
BIOS version: 04000000
Log hard disk: Not available
Hostname: FG200A2106401308
Operation Mode: NAT
Current virtual domain: root
Max number of virtual domains: 10
Virtual domains status: 1 in NAT mode, 0 in TP mode
Virtual domain configuration: disable
FIPS-CC mode: disable
Current HA mode: standalone
Distribution: International
Branch point: 646
Release Version Information: MR3 Patch 11
System time: Tue Dec  4 18:07:40 2012


So when configuration of the  ipv6,  you can set the  ipv6 address within the WebUI interface but all other  settings are typicall set from the cli.

To configure ipv6,  you  have  to enter a sub-config area called config ipv6, and within this sub-area, you can do the following;

  • enable ipv6
  • enable ipv6 alllowaccess for management function
  • set ipv6 RA announcements and values

RA allows for SLAAC configurations for any  ipv6 enable hosts, and must be configured for  SLAAC operations to commence. To start, you need to identify the interface(s) that will be ipv6 enable. In my case, I'm using the internal switch interface , known simply as "internal"

So I've highlighted the configurations details that pertains to ipv6 functions;


 edit "internal"
        set vdom "root"
        set ip 10.10.10.1 255.255.255.0
        set allowaccess ping https ssh
        set type physical
        set alias "inside"
            config ipv6
                set ip6-address 2001:11::1/64
                set ip6-allowaccess ping https ssh snmp
                    config ip6-prefix-list
                        edit 2001:11::/64
                            set autonomous-flag enable
                            set preferred-life-time 600
                            set valid-life-time 600
                        next
                    end
                set ip6-retrans-time 4000
                set ip6-send-adv enable
            end

    next


Now let's talk about these settings; the line ip6-address 2001:11::1/64 assigns the address and prefix.The next line tells us what  access is allowed for management towards this ipv6 interface { ping;https;ssh;snmp}

The next lines allows for configurations and allowance of  a ipv6 prefix announcements and the prefix for that RA. This will allow for any ipv6 host to be autconf with a ipv6 address using its oui-64 address;

e.g ( my macbook using it's systems ethernet bia, it  received the prefix and auto-assigned it's address using that burn-in-address that has been converted for the lower 64bits of the 128 bit address )

hyperfeed-MacBook:~ kenfelix1$ ifconfig en0 inet6
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
    inet6 fe80::21f:5bff:feea:afa%en0 prefixlen 64 scopeid 0x4
    inet6 2001:11::21f:5bff:feea:afa prefixlen 64 autoconf
hyperfeed-MacBook:~ kenfelix1$


As you can see I have a ipv6 address,  due to the  ipv6 prefix-list assignment and send-advertisements configuration.

After you configure the ipv6 interfaces, you can now craft ipv6  fwpolicies.

I hope  this quick post , helps you with ipv6 configuration in a Fortinet Fortigate firewall appliance.

Ken Felix  "freelance network and security" engineer
kfelix" @" hyperfeed dot com


4 comments:

  1. Hi Ken

    Thanks for this seems like the best setup advice I can find on the internet. Fortigates techinical docs seem old.

    How can I see if the fortigate is sending RA's?

    Im using ubuntu and its not autoconiguring the address

    ReplyDelete
    Replies
    1. You have a few ways to validate that RA announcements are being sent;

      Ubuntu:

      tcpdump –nnvvv –i eth0 icmp6
      tshark –n –i eth0 –R ‘icmpv6.type==134’


      Fortigate :
      diagnostic sniffer packet “insert interface-name” icmp6

      NOTE: Just remember that RA uses icmpv6

      Back to your Ubuntu box and it’s ipv6 setup, do you have it setup for autoconfig?
      sysctl -a net.ipv6.conf.eth0.autoconf

      If not you will need to write 1 value to the system controls

      e.g
      sysctl –w net.ipv6.conf.eth0.autoconf=1

      Also if you see no ipv6 in your system controls, and if you restart networking and get this error

      CRITICAL : [ipv6_test] Kernel is not compiled with IPv6 support

      That would surely mean you need to recompile support for ipv6 support in t he kernel.

      Good luck ( - | - )
      _

      Delete
  2. Thanks for your help! After restarting network manager the auto configure works. I used wireshark to confirm.

    Thanks for your help!!!

    ReplyDelete
  3. Hello! This is unclear for me. I have a router that has direct IPv6 connectivity.
    1. If I define (public) IPv6 address to external interface, it goes to internet, but internal machines that are behind another port (and in another zone) don't see the firewall.
    2. If I define that public IPv6 address to internal interface, my machines can see it (ping6 replies in both directions), but there's no connectivity to internet, not even from the router itself.
    So how should the connection be made between internal and external interface? I have IPv6 policies that allow all traffic between these two zones but that doesn't help. Do I have to use some intermediate IPv6 network to route between internal and external zones? That would be really ugly.

    ReplyDelete