Description
IPv4 and IPv6 policy configuration are consolidated in both NGFW profile-based and NGFW policy-based modes.
When creating a policy, both IPv4 and IPv6 addresses can be added as sources and destinations.
This article describes how to consolidate IPv4 and IPv6 policies.
Scope
FortiGate.
Solution
The IP version of the sources and destinations in a policy have to match.
For example, a policy cannot have only an IPv4 source and an IPv6 destination.
The policy list can be filtered to show policies with IPv4, IPv6, or IPv4 and IPv6 sources and destinations.
When upgrading from FortiOS 6.2.3 to 6.4.0.
In NGFW profile-based mode, IPv4 and IPv6 policies will all be added to the Firewall Policy list, with IPv6 policies listed after IPv4 policies.
If consolidated policy mode is enabled, consolidated policies will be changed to firewall policies.
In NGFW policy-based mode, policies will be changed from consolidated policies to firewall policies in the CLI.
The config firewall policy6 and config firewall consolidated policy commands, and the consolidated-firewall-mode variable in the config system settings command, are all removed.
Note:
By default, IPv6 options are not visible.
See Feature visibility for instructions on making it visible.
NGFW Profile-based mode.
To configure an IPv4 and IPv6 firewall policy in the CLI:
config firewall policy
edit 99
set srcintf "port3"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all6"
set dstaddr6 "all6"
set action accept
set schedule "always"
set service "ALL"
set nat enable
set ippool enable
set poolname "ipv4-ippool-1"
set poolname6 "ipv6-ippool-1"
next
end
To check the iPrope lists for the policy:
diagnose firewall iprope list 100004
policy index=99 uuid_idx=56 action=accept
flag (8050108): redir nat master use_src pol_stats
flag2 (4000): resolve_sso
flag3 (20): link-local
schedule(always)
cos_fwd=255 cos_rev=255
group=00100004 av=00004e20 au=00000000 split=00000000
host=1 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 11 -> zone(1): 9
source(1): 0.0.0.0-255.255.255.255, uuid_idx=21,
dest(1): 0.0.0.0-255.255.255.255, uuid_idx=21,
service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto
nat(1): flag=1 base=0.0.0.0:0 2.2.2.30-2.2.2.40(0:0)
diagnose firewall iprope6 list 100004
policy id: 99, group: 00100004, uuid_idx=56
action: accept, schedule: always
cos_fwd=255 cos_rev=255
flag (08050108): redir nat master use_src pol_stats
flag2(00004000): resolve_sso
shapers: / per_ip=
sub_groups: av 00004e20 auth 00000000 split 00000000 misc 00000000
app_list: 0 ips_view: 0
vdom_id: 1
zone_from(1): 11
zone_to(1): 9
address_src(1):
all uuid_idx=40
address_dst(1):
all uuid_idx=40
service(1):
[0:0x0:0/(0,65535)->(0,65535)] helper:auto
nat(1):
flag=1 base=::(:0)
2003::2003 - 2003::2004(0:0)
NGFW Policy-based mode.
To configure an IPv4 and IPv6 SSL Inspection & Authentication policy in the CLI.
config firewall policy
edit 2
set srcintf "port24"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "all"
set service "ALL"
set auto-asic-offload disable
next
end
To configure an IPv4 and IPv6 security policy in the CLI.
config firewall security-policy
edit 1
set comments "test"
set srcintf "port24"
set dstintf "port17"
set srcaddr "all"
set dstaddr "all"
set srcaddr6 "all"
set dstaddr6 "all"
set enforce-default-app-port disable
set service "ALL"
set action accept
set schedule "always"
set logtraffic all
next
end
Note: To configure IPv6 Policy consolidated with the IPv4 Policy the network interface should be configured for IPv6 address. If IPv6 is not configured on any of the interfaces, FortiGate will not route IPv6 Traffic.
See IPv6 quick start - FortiGate v7.6.0 Administration Guide.
