Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sgagan
Staff
Staff

Created on ‎02-20-2023 09:40 PM Edited on ‎08-19-2025 11:07 PM By Community Manager

Article Id 246532

Technical Tip: Disable IPv6 SSL VPN

Description This article describes a DNS issue where FortiClient is trying to do DNS lookup using IPv6 when it is enabled on the endpoint network adapter while using SSL VPN.  
Scope FortiGate, FortiClient.
Solution

When IPv6 is enabled on the network adapter settings on the Endpoint device, Windows would prefer IPv6 over IPv4. 

 

To get an IPv4 address, it is possible to make these changes on the configuration file of FortiClient.

  1. Take the backup of the current FortiClient configuration:

 

Sgagan_0-1676925373870.png

 

Note

Choose a backup password with a minimum length of 8 characters.

 

Screenshot 2025-08-05 185654.png

 

  1. Open the FortiClient Backup(.conf) with the text editor. 

  2. Search for <block_ipv6>0</block_ipv6> under <sslvpn> and change the digit from 0 to 1.


     Sgagan_1-1676925373872.png

     

  3. When this setting is 1, FortiClient blocks IPv6 connections and uses IPv4 only when the SSL VPN tunnel is up. 

  4. After making the change, save and restore the file to the FortiClient.

  5. Connect to FortiClient, and the IPv4 address will now be visible.

 

Notes regarding macOS FortiClient:

  • Starting from v7.6.3, the SSL VPN tunnel mode will no longer be supported, and SSL VPN web mode will be called 'Agentless VPN'.
  • It has been observed that the EMS/paid version of macOS FortiClient has some unique behaviors when <block_ipv6> is enabled (1) vs. disabled (0).
  • When <block_ipv6>1<block_ipv6> is set in the EMS profile, an IPv6 Unique Local Address will be assigned to the VPN tunnel interface, along with a corresponding default route.
    • This is expected design/behavior: this IPv6 ULA default route results in macOS routing outgoing IPv6 traffic to the VPN tunnel interface, and from there it is dropped by FortiClient. The host will then fall back to IPv4 in response to IPv6 traffic being dropped, thus achieving the IPv6 blocking behavior that has been configured.
    • However, be aware that using this option with a full-tunnel VPN will result in all IPv6 traffic being dropped, even if the macOS client is used in a dual-stack environment.
  • On the other hand, when <block_ipv6>0<block_ipv6> is set in the EMS profile, the VPN tunnel interface will not have an IPv6 ULA assigned, nor will there be a corresponding IPv6 default route.
  • As a side note, it seems that the free macOS FortiClient-VPN version has <block_ipv6>1<block_ipv6> set by default (which means that an IPv6 ULA and default route will be added when the VPN is connected).
    • To work around this, navigate to /Library/Application Support/Fortinet/FortiClient/conf/vpn.plist and set SslShouldBlockIpv6 from 1 to 0.
21291
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.