New Fortinet FortiGate IPv6 MIB fields
The following IPv6 MIB fields have been added to the Fortinet FortiGate MIB. These MIB entries can be used to display IPv6 session and policy statistics.
- IPv6 Session Counters: fgSysSes6Count fgSysSes6Rate1 fgSysSes6Rate10 fgSysSes6Rate30 fgSysSes6Rate60
- IPv6 Policy Statistics: fgFwPol6StatsTable fgFwPol6StatsEntry FgFwPol6StatsEntry fgFwPol6ID fgFwPol6PktCount fgFwPol6ByteCount
- IPv6 Session Statistics: fgIp6SessStatsTable fgIp6SessStatsEntry FgIp6SessStatsEntry fgIp6SessNumber
The fgSysSesCount and fgSysSesRateX MIBs report statistics for IPv4 plus IPv6 sessions combined. This behavior was not changed.
New OIDs
The following OIDs have been added: FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgSystem.fgSystemInfo
| .fgSysSes6Count | 1.3.6.1.4.1.12356.101.4.1.15 |
| .fgSysSesRate1 | 1.3.6.1.4.1.12356.101.4.1.16 |
| .fgSysSesRate10 | 1.3.6.1.4.1.12356.101.4.1.17 |
| .fgSysSesRate30 | 1.3.6.1.4.1.12356.101.4.1.18 |
| .fgSysSesRate60 | 1.3.6.1.4.1.12356.101.4.1.19 |
FORTINET-FORTIGATE-MIB:
fortinet.fnFortiGateMib.fgFirewall.fgFwPolicies.fgFwPolTables.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ID 1.3.6.1.4.1.12356.101.5.1.2.2.1.1.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6PktCount 1.3.6.1.4.1.12356.101.5.1.2.2.1.2.fgFwPol6StatsTable.fgFwPol6StatsEntry.fgFwPol6ByteCount 1.3.6.1.4.1.12356.101.5.1.2.2.1.3
FORTINET-FORTIGATE-MIB:fortinet.fnFortiGateMib.fgInetProto.fgInetProtoTables.fgIp6SessStatsTable.fgIp6SessStatsEntry.fgIp6SessNumber 1.3.6.1.4.1.12356.101.11.2.3.1.1
EXAMPLE SNMP get/walk output
// Session6 stats excerpt from sysinfo: snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.4
FORTINET-FORTIGATE-MIB::fgSysSes6Count.0 = Gauge32: 203
FORTINET-FORTIGATE-MIB::fgSysSes6Rate1.0 = Gauge32: 10 Sessions Per Second
| FORTINET-FORTIGATE-MIB::fgSysSes6Rate10.0 | = | Gauge32: | 2 | Sessions | Per | Second |
| FORTINET-FORTIGATE-MIB::fgSysSes6Rate30.0 | = | Gauge32: | 1 | Sessions | Per | Second |
| FORTINET-FORTIGATE-MIB::fgSysSes6Rate60.0 | = | Gauge32: | 0 | Sessions | Per | Second |
// FwPolicy6 table:
snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.5.1.2.2
FORTINET-FORTIGATE-MIB::fgFwPol6ID.1.3 = INTEGER: 3
FORTINET-FORTIGATE-MIB::fgFwPol6ID.1.4 = INTEGER: 4
FORTINET-FORTIGATE-MIB::fgFwPol6PktCount.1.3 = Counter64: 4329
FORTINET-FORTIGATE-MIB::fgFwPol6PktCount.1.4 = Counter64: 0
FORTINET-FORTIGATE-MIB::fgFwPol6ByteCount.1.3 = Counter64: 317776
FORTINET-FORTIGATE-MIB::fgFwPol6ByteCount.1.4 = Counter64: 0
// IP6SessNumber:
snmpwalk -v2c -cpublic 192.168.1.111 1.3.6.1.4.1.12356.101.11.2.3.1
FORTINET-FORTIGATE-MIB::fgIp6SessNumber.1 = Counter32: 89
IPv6 Per-IP traffic shaper
You can add any Per-IP traffic shaper to an IPv6 security policy using the following command:
config firewall policy6 edit 0
set per-ip-shaper “new-perip-shaper” end
DHCPv6
You can use DHCP with IPv6 using the CLI. To configure DHCP, ensure IPv6 is enabled by going to System > Feature Select and enabling IPv6. Use the CLI command
config system dhcp6
For more information on the configuration options, see the FortiGate CLI Reference.
DHCP delegated mode
Downstream IPv6 interfaces can receive address assignments on delegated subnets from a DHCP server that serves an upstream interface.
DHCPv6-PD configuration
Enable DHCPv6 Prefix Delegation on upstream interface (port10):
config system interface edit “port10”
config ipv6
set dhcp6-prefix-delegation enable end
end
Assign delegated prefix on downstream interface (port1). Optionally, specific delegated prefixes can be specified:
config system interface edit “port1”
config ipv6
set ip6-mode delegated
set ip6-upstream-interface “port10” set ip6-subnet ::1:0:0:0:1/64
set ip6-send-adv enable
config ipv6-delegated-prefix-list edit 1
set upstream-interface “port10” set autonomous-flag enable
set onlink-flag enable
set subnet 0:0:0:100::/64 end
end end
DHCPv6 Server configuration
Configuring a server that uses delegated prefix and DNS from upstream:
config system dhcp6 server edit 1
set dns-service delegated
set interface “wan2”
set upstream-interface “wan1” set ip-mode delegated
set subnet 0:0:0:102::/64 end
DHCPv6 relay
You can use the following command to configure a FortiGate interface to relay DHCPv6 queries and responses from one network to a network with a DHCPv6 server and back. The command enables DHCPv6 relay and includes adding the IPv6 address of the DHCP server that the FortiGate unit relays DHCPv6 requests to:
config system interface edit internal
config ipv6
set dhcp6-relay-service enable set dhcp6-relay-type regular
set dhcp6-relay-ip 2001:db8:0:2::30 end
IPv6 forwarding
Policies, IPS, Application Control, flow-based antivirus, web filtering, and DLP
FortiOS fully supports flow-based inspection of IPv6 traffic. This includes full support for IPS, application control, virus scanning, and web filtering.
To add flow-based inspection to IPv6 traffic go to Policy & Objects > IPv6 Policy and select Create New to add an IPv6 Security Policy. Configure the policy to accept the traffic to be scanned. Under Security Profiles, select the profiles to apply to the traffic.
Obtaining IPv6 addresses from an IPv6 DHCP server
From the CLI, you can configure any FortiGate interface to get an IPv6 address from an IPv6 DHCP server. For example, to configure the wan2 interface to get an IPv6 address from an IPv6 DHCP server enter the following command:
config system interface edit wan2
config ipv6
set ip6-mode dhcp end