IPv6 configuration
This section contains configuration information for IPv6 on FortiOS. Attempts are made to include scenarios in each section to better assist with the configuration and to orient the information toward a particular task.
You will find information on the following:
IPv6 address groups
To create IPv6 address groups from existing IPv6 addresses – web-based manager
Your company has 3 internal servers with IPv6 addresses that it would like to group together for the purposes of a number of policies.
- Go to Policy & Objects > Addresses and select Create New > Address Group.
- Select IPv6 Group, and fill out the fields with the following information:
Group Name | Web_Server_Cluster |
Members | Web_Server-1
Web_Server-2 Web_Server-3 |
- Select
To create IPv6 address groups from existing IPv6 addresses – CLI
config firewall addrgrp6 edit Web_Server_Cluster set member Web_Server-1 Web_Server-2 Web_Server-3 end
To verify that the addresses were added correctly
- Go to Policy & Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
- From the CLI, enter the following commands: config firewall addgrp6 edit <the name of the address that you wish to verify> Show full-configuration
IPv6 address ranges
You can configure IPv6 address ranges in both the GUI and the CLI.
To configure IPv6 address ranges – web-based manager:
- Go to Policy & Objects > Addresses.
- Set the Type to IP Range and enter the IPv6 addresses as shown:
To configure IPv6 address ranges – CLI:
config firewall address6 edit ipv6range set type iprange set start-ip 2001:db8:0:2::30 set end-ip 2001:db8:0:2::31
end
IPv6 firewall addresses
Scenario: Mail server
You need to create an IPv6 address for the Mail Server on Port1 of your internal network. This server is on the network off of port1.
l The IP address is 2001:db8:0:2::20/128 l There should be a tag for this address being for a server.
Configuring the Example using the GUI
- Go to Policy & Objects > Objects > Addresses and select Create New > Address.
- Select IPv6 Address and fill out the fields with the following information
Name | Mail_Server |
Type | Subnet |
IPv6 Address | 2001:db8:0:2::20/128 |
- Select
Configuring the Example using the CLI
Enter the following CLI command:
config firewall address6 edit Mail_Server set type ipprefix set subnet 2001:db8:0:2::20/128
end
Scenario: First floor network
You need to create an IPv6 address for the subnet of the internal network off of Port1. These computers connect to port1. The network uses the IPv6 addresses: fdde:5a7d:f40b:2e9d:xxxx:xxxx:xxxx:xxxx There should be a reference to this being the network for the 1st floor of the building.
- Go to Policy & Objects > Objects > Addresses
- Select Create New > Address.Select IPv6 Address and fill out the fields with the following information:
Name | Internal_Subnet_1 |
Type | Subnet / IP Range |
IPv6 Address | 2001:db8:0:2::/64 |
Comments | Network for 1st Floor |
- Select
- Enter the following CLI command:
config firewall address6 edit Internal_Subnet_1 set comment “Network for 1st Floor” set type ipprefix set subnet 2001:db8:0:2::/64 end
Scenario: Accounting team
You need to create an IPv6 address for the Accounting Team that’s on the 1st Floor. These users are off of various ports of the FortiGate, but they have all been assigned addresses between 2001:db8:0:2::2000 and 2001:db8:0:2::a000
Configuring the example using the GUI
- Go to Policy & Objects > Objects > Addresses and select Create New > Address. 2. Select IPv6 Address and fill out the fields with the following information
Name | Accounting_Team |
Type | IP Range |
Subnet / IP Range | 2001:db8:0:2::2000-2001:db8:0:2::a000 |
- Select OK.
Configuring the Example using the CLI
Enter the following CLI command:
config firewall address6 edit Accounting_Team set type iprange set visibility enable set start-ip 2001:db8:0:2::2000 set end-ip 2001:db8:0:2::a000 end
To verify that the addresses were added correctly:
- Go to Policy & Objects > Objects > Addresses. Check that the addresses have been added to the address list and that they are correct.
- Enter the following CLI command:
config firewall address6 edit <the name of the address that you wish to verify> Show full-configuration