Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vprabhu_FTNT
Staff
Staff

Created on ‎03-29-2020 04:30 AM Edited on ‎12-16-2024 09:35 PM By Staff

Article Id 191522

Technical Tip: IPv6 FortiGuard connections and Initial Troubleshooting steps

Description


The Fortinet DNS can resolve FortiGuard related servers to both IPv4 and IPv6 addresses.
FortiOS daemons (update, forticldd, url) connect using either IPv4 or IPv6 addresses.
The first available connection will be used for updates or the rating service.

This article describes how to configure an interface and route for IPv6.

Scope


FortiGate v6.2.2.

Solution


To configure an interface and route for IPv6.

 

config system interface
    edit "wan1"
        set vdom "root"
        config ipv6
            set ip6-address 2000:172:16:200::1/64
        end
    next
end

 

config router static6
    edit 1
        set gateway 2000:172:16:200::254
        set device "wan1"
    next
end

 

To configure push updates.

 

config system autoupdate push-update
    set status enable
    set override enable
    set address "2620:101:9005:3860::94"
end

 

To update through Fortiguard, issue the command ‘exec update-now’.

Troubleshooting steps:

 

  1. Verify that a valid current contract is registered against FortiGate. The registration code/contract number may be registered at https://support.fortinet.com after purchase.
  2. Create a firewall policy that includes a UTM profile and FortiGuard web filtering.
  3. After activation, the FortiGuard network will transmit the contact information to all servers, which might take up to 48 hours. If the contract was activated during the last day, wait 24 hours before proceeding.

 

When the servers have the right contract information; the FortiGate is just not receiving it. The first test to do is:

 

exec ping6 2620:101:9005:3860::94

 

  1. If the ping fails, the FortiGate cannot connect to the internet. Aside from the possibility that the FortiGate is not even connected to the Internet, the most prevalent issue here is that the FortiGate is sending all of its locally produced traffic (think update requests and pings) over a VPN tunnel or the incorrect interface.

 

The following commands can assist to troubleshoot:

 

diag debug reset
diag debug enable
diag debug console timestamp enable
diag debug flow show function-name enable
diag debug flow filter6 addr 2620:101:9005:3860::94
diag debug flow trace start6 1000
exec ping6 2620:101:9005:3860::94

 

The output will show the route the packet is using as well as any VPN tunnels.
If the traffic is indeed going through a VPN tunnel, edit the Firewall policy for the VPN tunnel and change the source and destination addresses to match the source and destination subnets.

 

Once the test is complete, the debug outputs should be disabled by using the commands:


diag debug disable

 

  1. If the issue is still not fixed, the following commands can be used to collect debug and Sniffer information:

 

diag debug enable
diag debug application update 255
exec update-now

di sniffer packet any "host 2620:101:9005:3860::94" 6 0 l

 

If the issue has not been addressed, file a ticket with Fortinet support to aid with troubleshooting. Include the results of every other previous debug command.

Labels:
4485
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.