Friday, November 30, 2012

Rant:IPV6 authentication or lack of it in my favorite firewall

I'm currently  running ipv6  at 2 unique setups. One setup has  a 2 edge-routers and 2 Fortigates in a A-P cluster and running opsfv3. I wanted to enable OPSFv3 w/authenticate,  since I just enable a ASA that sits on that same OSPFv3 area 0 bkbone.

What I found out was a big surprise. Fortinet dropped the ball with OPSFv3 security features & with being  support in their firewalls. I was honesty shocked upon finding out this limitation.

Here's a direct quote from Fortinet-TAC after they spent 4 days investigating;

   {
I just received an answer from our specialist. Fortigate does not accept OSPFv3 authentication via ipsec+AH. So far, we cannot tell you when this feature will be available.

Please let us know if you need more information or if there is anything else we can help you with.
If this solves your issue, please update the ticket with the information so that we may close this ticket. Thank you.


Regards,
Maximira Correa
Fortinet TAC Engineer, Americas
Monday - Friday, 8:00am-5:00pm (Pacific)
https://support.fortinet.com
Tech Support: 1-866-648-4638

   }

Is this okay ?  Nope, not really;

Fortinet has had ipv6 functions and routing in their firewalls for some quite time. As a matter of fact, I've been using IPV6 ( static routed ) since  MR6 Patch 6 & in a FWF60 model.

So I find it funny, that  Fortigate has been IPv6 aware since the late version 3 code. And then again Ipv6 OSPFv3 routing support for some time.  But some how they missed this basic security feature?

For what it's worth,  Juniper , Cisco, H3C, and cisco's own ASA has OSPFv3 authentication support, but when compared to the simple and highly respected  Fortigate Security Gateway, this is not doable.

  
:(
 
Ken Felix
Freelance Network and Security Engineer
kfelix" at " hyperfeed.com

 

2 comments:

  1. Hi Ken
    This is posted in 2012. Have you got any update whether Fortigate can do it now?

    ReplyDelete
  2. I haven't followed back up with FTNT but in 5.4.x I do see this as being support. So I guess the short answer is NO. OSPFv3 authentication is not supported.

    V5.6.0 fortix cli also doesn't address this as a supported feature either under the cli config router ospf6

    ReplyDelete