FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sgagan
Staff
Staff
Article Id 246532
Description This article describes a DNS issue where FortiClient is trying to do DNS lookup using IPv6 when it is enabled on the endpoint network adapter while using SSL VPN.  
Scope FortiGate, FortiClient.
Solution

When IPv6 is enabled on the network adapter settings on the Endpoint device, Windows would prefer IPv6 over IPv4. 

 

To get an IPv4 address, it is possible to make these changes on the configuration file of FortiClient.

 

  1. Take the backup of the current FortiClient configuration:

 

Sgagan_0-1676925373870.png

 

  1. Open the FortiClient Backup(.conf) with the text editor. 

  2. Search for <block_ipv6>0</block_ipv6> under <sslvpn> and change the digit from 0 to 1.


    Sgagan_1-1676925373872.png

     

     

  3. When this setting is 1, FortiClient blocks IPv6 Connection and uses IPv4 only when the SSL VPN tunnel is up. 

  4. After making the change, save and restore the file to the FortiClient.

  5. Connect to FortiClient and the IPv4 address will be now visible.

Notes regarding macOS FortiClient:

  • It has been observed that the EMS/paid version of macOS FortiClient has some unique behaviors when <block_ipv6> is enabled (1) vs. disabled (0).
  • When <block_ipv6>1<block_ipv6> is set in the EMS profile, an IPv6 Unique Local Address will be assigned to the VPN tunnel interface, along with a corresponding default route.
    • This is expected design/behavior: this IPv6 ULA default route results in macOS routing outgoing IPv6 traffic to the VPN tunnel interface, and from there it is dropped by FortiClient. The host will then fall back to IPv4 in response to IPv6 traffic being dropped, thus achieving the IPv6 blocking behavior that has been configured.
    • However, be aware that using this option with a full-tunnel VPN will result in all IPv6 traffic being dropped, even if the macOS client is used in a dual-stack environment.
  • On the other hand, when <block_ipv6>0<block_ipv6> is set in the EMS profile, the VPN tunnel interface will not have an IPv6 ULA assigned, nor will there be a corresponding IPv6 default route.
  • As a side note, it seems that the free macOS FortiClient-VPN version has <block_ipv6>1<block_ipv6> set by default (which means that an IPv6 ULA and default route will be added when the VPN is connected).
    • To work around this, navigate to /Library/Application Support/Fortinet/FortiClient/conf/vpn.plist and set SslShouldBlockIpv6 from 1 to 0.