Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
ctanev1
Staff & Editor
Staff & Editor

Created on ‎02-04-2021 01:49 AM Edited on ‎02-12-2026 04:02 AM By Community Manager

Article Id 197789

Technical Tip: How to resolve DNS issue with FortiClient SSL VPN when IPv6 is enabled on the client network adapter

Description

 

This article describes a DNS-related issue that can occur where client devices are sending traffic out the physical network adapter when IPv6 is enabled, even when they have an active IPv4 SSL VPN tunnel active.

 

Scope

 

FortiClient, SSL VPN.

Solution

 

Prior to FortiClient v7.0.1 and FortiOS v7.0.0, SSL VPN did not support dual-stack IPv4/IPv6 and so only IPv4 was supported across the VPN tunnel. For information regarding the addition of dual-stack functionality, refer to the following:

 

In general, Windows (and other operating systems) may prefer to use IPv6 rather than IPv4 for outgoing connections if both are available on the device's physical network adapters. Additionally, IPv4 DNS servers can generally resolve FQDNs to both IPv4 (using A records) and IPv6 (using AAAA records, if available).

 

The above behavior results in an issue where the client device may resolve both the IPv4 and IPv6 address for a given FQDN and then attempt to reach that destination using IPv6 instead of IPv4. If the SSL VPN tunnel is not configured for dual-stack operation (i.e., it is IPv4 only) then traffic will egress using IPv6 over the physical network connection, rather than IPv4 over the VPN tunnel. This effectively bypasses security inspection by the FortiGate since the traffic is no longer sent over the VPN tunnel.

 

Within the FortiClient XML configuration, it is possible to enable block_ipv6 to prevent IPv6 traffic from being sent out from the endpoint network adapters when the VPN tunnel is connected/online. This ensures that only IPv4 is utilized, which prevents the unintended bypass behavior described above (since Windows has routes for IPv4 destinations over the VPN tunnel). This option can be found in the following section of the XML config:

 

<forticlient_configuration>

    <vpn>

        <sslvpn>

            <options>

                <block_ipv6>[1 | 0]</block_ipv6>

            </options>

        </sslvpn>

    </vpn>

<forticlient_configuration>

 

Setting block_ipv6 to 1 enables the feature and results in FortiClient blocking IPv6 from being sent outside of the VPN tunnel, whereas setting 0 disables this options and allows IPv6 traffic to flow as normal. For guidance on configuring XML profiles on EMS, as well as performing config backup/restore from FortiClient itself, refer to the following section of the FortiClient XML Reference Guide: Backing up or restoring the configuration file.

 

As an alternative, users can also disable IPv6 on the physical network adapter to prevent this bypass issue from occurring. In Windows, this can be done by opening the Control Panel and navigating to Network and Internet -> Network and Sharing Center, opening the Properties section of the physical network adapter and unchecking Internet Protocol Version 6 (TCP/IPv6).

 

Windows Network Adapter.png

 

Additional notes:

  • SSL VPN tunnel mode has been deprecated as of FortiOS 7.6.3 and onward, though SSL VPN web mode is still currently supported and renamed to 'Agentless VPN'.
  • The macOS version of FortiClient has a unique behavior not present on other FortiClient versions where enabling block_ipv6 in the XML configuration results in an IPv6 Unique Local Address (ULA) being assigned to the VPN tunnel interface, along with a corresponding default route.
    • This is expected behavior, as the default route results in macOS routing all IPv6 traffic via the VPN tunnel interface where it is then dropped by FortiClient. This ultimately prevents IPv6 traffic from being sent over physical network interfaces when the VPN tunnel is online, though note that using this option will result in IPv6 traffic always being dropped, even when using a full-tunnel SSL VPN with dual-stack functionality on macOS.
    • If block_ipv6 is disabled (set to 0) then neither the ULA nor the default route will be added to the macOS routing table.
  • Additionally, the free macOS FortiClient VPN application has block_ipv6 enabled by default, which means IPv6 traffic will not work when the VPN is online.
    • This can be solved by navigating to /Library/Application Support/Fortinet/FortiClient/conf/vpn.plist in Finder and setting SslShouldBlockIpv6 from 1 to 0.

 

Related documents:

39577
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.