Technical Tip: How to configure a secondary IPv6 address on a FortiGate interface

Description

This article explains how to configure a secondary IPv6 on a FortiGate network interface.

Scope

FortiGate, IPv6.

Solution

Currently it is only possible to configure an IPv6 secondary IP address on the FortiGate using the CLI (no support via the GUI). To do so, navigate to the interface in the CLI and add an entry under the config ip6-extra-addr sub-section:

config system interface
    edit <name>

        config ipv6
            set ip6-address <IPv6_address/mask>
                config ip6-extra-addr
                    edit <IPv6_secondary_address/mask>
                    next
                end
            end
        next
    end

The IP address follows standard IPv6 convention of address/mask (e.g., 2001:db8::1/64). If a network mask is not specified then a /128 is automatically applied.

Note: The interface must first have a primary IPv6 address assigned using set ip6-address, otherwise the following error message will be displayed:

FortiGate # config system interface

FortiGate (interface) # edit LAN

FortiGate (LAN) # config ipv6

FortiGate (ipv6) # config ip6-extra-addr

FortiGate (ip6-extra-addr) # edit 2001:db8::1/64
new entry '2001:db8::1/64' added

FortiGate (2001:db8::1/64) # end
Please configure primary IPv6 address prefix first
object set operator error, -20 discard the setting
Command fail. Return code -20

Related documents:

• Technical Tip: IPv6 Manual Configuration of a Link-Local Address
• IPv6 quick start