Description

This article explains IPv6 Address Template objects in greater depth, including how they should be interpreted and how they are used. These objects can be created on the FortiGate directly, and they can also be created and pushed from FortiManager (see: Creating an IPv6 address template).

Scope

FortiGate, FortiManager, IPv6.

Solution

Address objects on the FortiGate (both IPv4 and IPv6) are typically configured in a number of well-known ways, including Subnets (e.g. 2001:db8::/32), Ranges (e.g. 2001:db8::1-2001:db8::ffff), and FQDNs (e.g. globalupdate.fortinet.net, which the FortiGate would resolve via DNS). However, FortiGate also supports a unique object type for IPv6 called IPv6 Address Templates (aka address6-template in the CLI), which operates in a different way from other objects. To briefly summarize:

• IPv6 addresses are significantly longer than IPv4 addresses and have more complex rules for writing/shortening addresses, and this can increase the likelihood of errors when administrators create Address objects on the FortiGate. IPv6 Address Templates allow administrators to define patterns for a given IPv6 prefix/subnet that can then be used to more reliably create IPv6 Address objects.
• Admins must create IPv6 Address Templates first, then they can be used to create IPv6 Address objects of type 'template'.
• IPv6 Address Templates are meant for network environments that have an organized structure for their IPv6 address assignments (i.e. companies that subdivide the IPv6 address space depending on which country/city the company's office is located, as well as the purpose of the subnet (buildings, LANs/VLANs, etc.)
  • By default, IPv6 Address Templates will start with a series of predefined Subnet Segments, these being: country, state, city, site, LAN, VLAN. These pre-defined entries may be deleted or renamed, though at least one segment must be defined in the template.
  • Up to 6 segments may be specified, and each segment can have a maximum of 16 bits assigned to it (0x0000 to 0xffff)
• IPv6 Address objects created using IPv6 Address Templates work like wildcard masks when it comes to matching against IPv6 addresses. The address will be checked against the template from left to right, and it is considered a match if the network bits defined in the template match with the IPv6 address (any bits not defined by the template are effectively 'ignored' and may be ANY value). An example will be provided further below.
• Once a template is created and associated with an IPv6 Address object, the template can no longer be modified.
• IPv6 Address Templates may be created directly on the FortiGate or also via FortiManager. For FortiManager instructions, refer to the link in the Description above.

Practical Demonstration:

The following is a practical example of how an IPv6 Address Template might be used, which readers may find more helpful for understanding the purpose of this object on the FortiGate:

Consider a company that has allocated an IPv6 prefix for their usage: 2001:db8::/32. This company operates branch offices in North America with multiple VLANs at each branch office. A variety of IPv6 Address objects are needed on the data center FortiGate to facilitate the various Firewall Policies required.

To manage this, the company's administrator creates an IPv6 Address Template with the following settings:

• Name: Company_IPv6_Template.
• IPv6 address prefix: 2001:db8::/32
• Subnet Segments:
  • country - 8 bits (255 options, 0x00 to 0xff). Set to Exclusive with Defined Values:
    • Canada = 0x01
    • United States = 0x02
  • office_number - 8 bits (255 options, 0x00 to 0xff)
  • VLAN - 8 bits (255 options, 0x00 to 0xff)

IPv6 Address Template. Note that this is just the template and it cannot be used directly.

With this template, Address objects created using this template would have a structure like this: <prefix><country><office_number><vlan><all_remaining>. For example:

• VLAN 20 (0x14) in Office #3 (0x03) in Canada (0x01) -> 2001:0db8:0103:14<all_remaining>
• VLAN 105 (0x69) in Office #14 (0x0e) in the United States (0x02) -> 2001:0db8:020e:69<all_remaining>

When applied to a Firewall Policy, IPv6 addresses will be matched against the specified part of the template, with all other unspecified parts being ignored like a wildcard. Consider the VLAN 20 example (2001:0db8:0103:14) for the following scenario:

IPv6 Address object, set to type 'IPv6 Template'

In this case, each subnet segment has been set to 'specific' when the IPv6 Address object is created, rather than 'any'. Anything in green is matching the template, anything in red is not matching the template, and anything in black is ignored (wildcard match):

• Will Match:
  • 2001:0db8:0103:1401::100
  • 2001:0db8:0103:14e2:0000:8778:0042
  • 2001:0db8:0103:14::ffff
• Will NOT Match:
  • 2001:0db8:0103:1501::100
  • 2001:cafe:0103:1401::100
  • 2001:0db8:ff03:14e2:0000:8778:0042

Note:

• When creating the IPv6 Address Template, the Exclusive toggle for Subnet Segments determines if all possible address options are available or just the defined entries when creating an IPv6 Address object.
  • In the earlier example, 8 bits allow for 0x00 to 0xff (255 options) in addition to Canada (0x01) and the United States (0x02) to be selected. Enabling the Exclusive toggle limits choices to just Canada and the United States.
• When creating IPv6 Address objects based on a template, subnet segments may either be set to any (wildcard for that section) or specific (must match the selected option). This could be useful for more-complex objects, such as an IPv6 Address object that matches VLAN 20 for any office located in Canada in the 2001:db8::/32 network (2001:0db8:01XX:14).

•  When viewed in the GUI, it is expected that IPv6 Address objects based on templates will not show the actual end-result for the IPv6 mask. That is to say, instead of something like 2001:0db8:0103:14::/56 being displayed, the following is expected instead:

Related document:

Creating an IPv6 address template