Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vtsonev
Staff
Staff

Created on ‎12-02-2024 05:23 AM

Article Id 361830

Technical Tip: Using IPv6 and IPv4 ISDB objects in dual-stack SSL VPN firewall policy

Description This article describes how to use IPv6 ISDB objects in a firewall policy for SSL VPN dual-stack and is valid when using SSL VPN with the 'set dual-stack-mode enable' option.
Scope FortiGate up to v7.0.X, v7.2.10,v 7.4.5 and v7.6.0.
Solution

This feature was introduced first in FortiOS 7.0.0. Please keep in mind that dual-stack tunnel mode support requires a supported client. Check if the FortiClient version currently in use, supports the dual-stack feature.

 

The problem occurs when configuring IPv4+IPv6 policy, with source interface dual-stack SSL VPN. 

When internet-service is enabled, dstaddr in the firewall policy will not be used. Dual-stack feature for SSL VPN originally does not support internet-service, so when trying to configure IPv4-IPv6 policy with ISDB objects for dual-stack it will result in the error message:

 

FW81FD-4 (451) # sh
    config firewall policy
        edit 451
            set uuid e2a8d140-b0a2-51ef-878b-0f84c6bb03e8
            set srcintf "ssl.root"
            set dstintf "plan"
            set action accept
            set srcaddr "Range_for_SSLVPN_clients"
            set srcaddr6 "SSLVPN_TUNNEL_IPv6_ADDR1"
            set internet-service enable
            set internet-service-name "Cisco-Webex"
            set internet-service6 enable
            set internet-service6-name "Fortinet-ICMP"
            set schedule "always"
            set utm-status enable
            set av-profile "default"
            set ips-sensor "protect_client"
            set nat enable
            set groups "SSO_Guest_Users"
        next
    end

FW81FD-4 (451) # end


To enable this policy, both IPv4 and IPv6 must be configured because dual-stack-mode is enabled.
object check operator error, -651, discard the setting
Command fail. Return code -651

 

 A similar error is visible when trying to configure the same policy from the GUI:

 

If an SSL VPN firewall policy is set to either internet-service or internet-service6, then dual-stack-mode cannot be enabled in vpn.ssl.settings.

This behavior changed in v7.6.1+ and v7.4.6+ where ISDB is possible to be configured directly, without any errors.

For all firmware versions, it is possible to apply a workaround, where the firewall policy is first configured with a normal IPv6 destination address and saved. After that, the admin can edit the policy and add ISDB objects.

 

  1. Configure IPv4+IPv6 as the destination address in the firewall policy and save:

 

GUI_workaround.jpg

 

  1. Edit the same firewall policy, replace the destination addresses with ISDB objects as needed and save:

 

GUI_workaround2.jpg

 

The ISDB support for dual-stack SSL VPN was added starting from v7.6.1 and v7.4.6.
137
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.