Question
IPv6 SSL inspection not working
I have a Fortigate 50E on 5.6.3 that has a successful SSL inspection and AV/Antispam scanning enabled for IPv4 LAN-WAN traffic. I have recently now enabled IPv6 DHCP prefix delegation and now have dual-stack IPv4 and IPv6.
I am attempting to have IPv6 traffic inspected & scanned. I have the following IPv6 policies:
Gateway # show firewall ssl-ssh-profile custom-deep-inspection config firewall ssl-ssh-profile edit "custom-deep-inspection" set comment "Customizable deep inspection profile." config ssl set inspect-all deep-inspection end config ssl-exempt edit 1 set type address set address "*.archlinux.org" next edit 2 set type address set address "*.cisco.com" next edit 3 set type address set address "*.netflix.com" next edit 4 set type address set address "*.nflxvideo.net" next edit 5 set type address set address "*.roku.com" next edit 6 set type address set address "adobe" next edit 7 set type address set address "Adobe Login" next edit 8 set type address set address "android" next edit 9 set type address set address "apple" next edit 10 set type address set address "appstore" next edit 11 set type address set address "auth.gfx.ms" next edit 12 set type address set address "autoupdate.opera.com" next edit 13 set type address set address "citrix" next edit 14 set type address set address "dropbox.com" next edit 15 set type address set address "eease" next edit 16 set type address set address "F30E_remote_subnet2" next edit 17 set type address set address "F30E_remote_subnet_1" next edit 18 set type address set address "firefox update server" next edit 19 set type address set address "fortinet" next edit 20 set type address set address "google-drive" next edit 21 set type address set address "google-play" next edit 22 set type address set address "google-play2" next edit 23 set type address set address "google-play3" next edit 24 set type address set address "googleapis.com" next edit 25 set type address set address "Gotomeeting" next edit 26 set type address set address "icloud" next edit 27 set type address set address "itunes" next edit 28 set type address set address "microsoft" next edit 29 set type address set address "ROKU" next edit 30 set type address set address "skype" next edit 31 set type address set address "softwareupdate.vmware.com" next edit 32 set type address set address "swscan.apple.com" next edit 33 set type address set address "update.microsoft.com" next edit 34 set type address set address "verisign" next edit 35 set type address set address "Windows update 2" next edit 36 set fortiguard-category 31 next edit 37 set fortiguard-category 33 next end next end Gateway # show firewall policy6 config firewall policy6 edit 1 set name "6-LAN-WAN" set uuid e107d232-0983-51e8-773c-106addad33df set srcintf "lan" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" set utm-status enable set av-profile "default" set spamfilter-profile "default" set profile-protocol-options "default" set ssl-ssh-profile "custom-deep-inspection" next edit 2 set name "6-wifi-WAN" set uuid 4990080c-0988-51e8-fdcb-e98d8c011868 set srcintf "wifi" set dstintf "wan1" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "ALL" next edit 3 set name "6-wan-lan-ping6" set uuid 4a82ca62-0990-51e8-5422-9971448afc15 set srcintf "wan1" set dstintf "lan" set srcaddr "all" set dstaddr "all" set action accept set schedule "always" set service "PING6" next end
This is the same process I used for IPv4 traffic on the "LAN-WAN" IPv4 policy. But IPv6 clients do not appear to be inspected; IPv6 clients on the LAN are not seeing the HTTPS certificate replaced with the Fortigate's SSL scanning cert, like they are with IPv4 traffic.
What is the issue?