There are cases where IPv6 traffic is configured on interfaces with the Captive Portal enabled, necessitating the exemption of certain IPv6 addresses.

There are cases where IPv6 traffic is configured on interfaces with the Captive Portal enabled, necessitating the exemption of certain IPv6 addresses.

For example, an interface with the following IPv6 configuration:

edit "IT_Firewall"
    set vdom "root"
    set ip 10.0.2.251 255.255.255.248
    set allowaccess ping https ssh snmp http radius-acct
    set explicit-web-proxy enable
    set security-mode captive-portal
    set security-exempt-list "IT_Firewall-exempt-list"
    set security-groups "automation_user" "Bobby_team" "CMU_care" "COSI_Lab_Blr" "Device_Testing" "Guest" "LaaS-Bengaluru" "south_korea_team" "Temp"
    set device-identification enable
    set role lan
    set snmp-index 20

config ipv6
    set ip6-address 2a00:8a03:19f:4::1/64
    set ip6-allowaccess ping https ssh snmp http
end

set interface "x2"
set vlanid 514
next
end

In such cases, it is necessary to use an IPv6 policy to exempt the source, as IPv6 does not support adding exempt sources under the Captive Portal.

The IPv6 policy can be created as follows, with the option 'captive-portal-exempt' enabled.

config firewall policy
    edit 4
        set name "TEST1"
        set uuid a568475e-9089-51ef-0b7f-f41c5a017550
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr6 "aaaaa"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set nat enable
        set captive-portal-exempt enable
    next
end

IPV6 Address:

config firewall address6
    edit "aaaaa"
        set uuid 61037408-9089-51ef-ad54-66407dc02682
        set ip6 2600:5000:9830:200::/64
    next
end

This approach allows the IPv6 address to be exempted from the Captive Portal.

Related document: 

config system interface