Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
subramanis
Staff
Staff

Created on ‎02-13-2022 10:23 PM Edited on ‎07-18-2023 09:21 PM By Community Manager

Article Id 204771

Technical Tip: The IPv6 traffic enter/exit on single arm mode to hit the firewall policy

Description This article describes how to disable IPv6 redirect.
Scope icmp6-send-redirect is enabled by default and it will redirect the traffic to a more efficient way. The ICMPV6 traffic thus does not pass through FortiGate nor match policy6.
Solution

 

subramanis_1-1644785489923.png

 

 

There is no firewall policy for ipv6 traffic but still the traffic is allowed by the firewall, It's not hitting the  implicit deny rule.

 

2021-09-20 14:08:14.796289 port1 in 2001:7a8:2d85:6000::2 -> 2001:7a8:2d85:6000::3: icmp6: echo request seq 836
2021-09-20 14:08:14.797343 port1 in 2001:7a8:2d85:6000::3 -> fe80::724c:a5ff:fe1c:9926: icmp6: neighbor adv: tgt is 2001:7a8:2d85:6000::3
2021-09-20 14:08:14.797378 port1 out 2001:7a8:2d85:6000::2 -> 2001:7a8:2d85:6000::3: icmp6: echo request seq 836
2021-09-20 14:08:14.797754 port1 in 2001:7a8:2d85:6000::3 -> 2001:7a8:2d85:6000::2: icmp6: echo reply seq 836
2021-09-20 14:08:14.797793 port1 out fe80::724c:a5ff:fe1c:9926 -> 2001:7a8:2d85:6000::3: icmp6: redirect 2001:7a8:2d85:6000::2 to 2001:7a8:2d85:6000::2
2021-09-20 14:08:14.797811 port1 out 2001:7a8:2d85:6000::3 -> 2001:7a8:2d85:6000::2: icmp6: echo reply seq 836

 

id=20085 trace_id=1 func=resolve_ip6_tuple_fast line=4582 msg="vd-root:0 received a packet(proto=58, 2001:7a8:2d85:6000::2:1->2001:7a8:2d85:6000::3:128) from port1."
id=20085 trace_id=1 func=resolve_ip6_tuple line=4714 msg="allocate a new session-0001dc85"
id=20085 trace_id=1 func=vf_ip6_route_input line=1177 msg="find a route: gw-2001:7a8:2d85:6000::3 via port1 err 0 flags 01000001"
id=20085 trace_id=2 func=resolve_ip6_tuple_fast line=4582 msg="vd-root:0 received a packet(proto=58, 2001:7a8:2d85:6000::3:24576->fe80::724c:a5ff:fe1c:9926:136) from port1."
id=20085 trace_id=2 func=vf_ip6_route_input line=1177 msg="find a route: gw-:: via root err 0 flags 80200001"
id=20085 trace_id=3 func=resolve_ip6_tuple_fast line=4582 msg="vd-root:0 received a packet(proto=58, 2001:7a8:2d85:6000::3:1->2001:7a8:2d85:6000::2:129) from port1."
id=20085 trace_id=3 func=vf_ip6_route_input line=1177 msg="find a route: gw-2001:7a8:2d85:6000::2 via port1 err 0 flags 01000001"
id=20085 trace_id=4 func=resolve_ip6_tuple_fast line=4582 msg="vd-root:0 received a packet(proto=58, fe80::724c:a5ff:fe1c:9926:0->2001:7a8:2d85:6000::3:137) from port1."

 

The solution is to disable the 'icmp6-send-redirect' by default its enabled.

 

config system interface

    edit port1

        config ipv6

            set icmp6-send-redirect disable
Labels:
1529
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.