|
In FortiGate, PMTUD for IPv6 is not supported when the policy is in flow-based inspection mode. To fix the problem, follow the steps below.
- Configure the firewall policy to Proxy mode.
config firewall policy
edit 2
set name "Internal_IPV6"
set uuid 2c3f4f88-da0b-51ee-49c2-6a4bfc0f0e89
set srcintf "port5"
set dstintf "HW-WAN"
set action accept
set srcaddr6 "all"
set dstaddr6 "all"
set schedule "always"
set service "ALL"
set utm-status enable
set inspection-mode proxy <-----
set ssl-ssh-profile "ipv6-custom-deep-inspection"
set logtraffic all
Make sure the SSL profile has deep-inspection enabled.
config firewall ssl-ssh-profile
edit "ipv6 - custom-deep-inspection"
config ssl
set inspect-all deep-inspection <-----
end
end
- If the firewall policy mode is flow, then configure the WAN interface MTU to 1280.
- If it still does not work, change the option in the web-filter profile to 'ftgd-disable'.
config webfilter profile
edit $webtest-------------profile name
config ftgd-wf-test
set options ftgd-disable
end
end
To troubleshoot the traffic flow, match the correct policy and the web-filter profile, the filter6 has to be used in the following way:
diagnose debug reset
diagnose debug enable
diagnose debug flow filter6 addr xxx:xxx::xxx:xxx <-- IPv6 address.
diagnose debug flow show console enable
diagnose debug flow trace start 10
For the IPS debug to troubleshoot the static URL filter, the filter6 option is neither available nor required.
Related articles:
Troubleshooting Tip: Ensuring proper web filtering functionality in FortiOS
Technical Tip: Troubleshooting static URL filter by 'debug ips'
Troubleshooting Tip: FortiGuard Web Filtering problems
|
