Created on 03-29-2020 04:30 AM Edited on 02-09-2022 12:54 AM By Anthony_E
Description
The Fortinet DNS can resolve FortiGuard related servers to both IPv4 and IPv6 addresses.
FortiOS daemons (update, forticldd, url) connect using either IPv4 or IPv6 addresses.
The first available connection will be used for updates or the rating service.
This article describes how to configure an interface and route for IPv6.
Scope
For version 6.2.2.
Solution
To configure an interface and route for IPv6.
# config system interface
edit "wan1"
set vdom "root"
config ipv6
set ip6-address 2000:172:16:200::1/64
end
next
end
# config router static6
edit 1
set gateway 2000:172:16:200::254
set device "wan1"
next
end
To configure push updates.
# config system autoupdate push-update
set status enable
set override enable
set address "2620:101:9005:3860::94"
end
To update through Fortiguard, issue command ‘# exec update-now’.
Troubleshooting steps:
1) Verify that a valid current contract is registered against FortiGate. The registration code/contract number may be registered at https://support.fortinet.com after purchase.
2) Create a firewall policy that includes a UTM profile and FortiGuard web filtering.
3) After activation, the FortiGuard network will transmit the contract information to all servers, which might take up to 48 hours. If the contract was activated during the last day, you should indeed wait 24 hours before proceeding.
When we are certain that the servers have the right contract information; the FortiGate is just not receiving it. The first test to do is:
# exec ping6 2620:101:9005:3860::94
4) If the ping fails, the FortiGate cannot connect to the internet. Aside from the possibility that the FortiGate is not even connected to the Internet, the most prevalent issue here is that the FortiGate is sending all of its locally produced traffic (think update requests and pings) over a VPN tunnel or the incorrect interface.
The following commands can assist you in troubleshooting:
# diag debug reset
# diag debug enable
# diag debug flow show console enable
# diag debug flow show function-name enable
# diag debug flow filter6 addr 2620:101:9005:3860::94
# diag debug flow trace start6 1000
# exec ping6 2620:101:9005:3860::94
The output will show the route the packet is using as well as any VPN tunnels.
If the traffic is indeed going through a VPN tunnel, edit the Firewall policy for the VPN tunnel and change the source and destination addresses to match the source and destination subnets.
Once the test is complete, the debug outputs should be disabled by using the commands:
# diag debug disable
5) If the issue is still not fixed, the following commands can be used to collect debug and Sniffer information:
# diag debug enable
# diag debug application update 255
# exec update-now
# di sniffer packet any "host 2620:101:9005:3860::94" 6 0 l
If the issue has not been addressed, file a ticket with Fortinet support to aid with troubleshooting.
Include the results of every other previous debug command.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.