Fortinet Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FloToHu
New Contributor II

FQDN address object just resolves ipv4 - no dual-stack - Any solutions?

Hello,

 

we write the year 2021 and ipv6 has grown to an over 30 years old protocol. But it still seems to lack basic support.

 

We switched from OPNsense to FortiGate and our network is dual-stacked. With OPNsense it was no problem to declare FQDN address objects that resolved to all A and AAAA records. And really nobody wants to create ipv6 objects manually. So we use mainly FQDN to access ipv6 resources.

 

In FortiGate FQDN objects just resolve to A records and no chance to get my ipv6 addresses added. Any hints, tricks how to keep our system dual-stacked without abandoning our ipv6 design or manually add each ip resource twice? The lack of ipv6 support makes many cool features useless e.g. FSSO agent. I bet users in ipv6 networks won't be resolved dynamically to address objects and get no access - except they disable ipv6 on their pcs.

 

How do you work with dual-stacked servers without adding everything twice and manually adding 128-bit long addresses which are more likely to have typos than legacy ips?

 

Kind regards,

 Florian

---
FloToHu
3 REPLIES 3
FloToHu
New Contributor II

Hmmm, seems nobody uses ipv6 with a fortigate. That explains the lack in ipv6 support when nobody asks for these features.

 

Well, I found the solution myself. Since fortigate cannot work dual-stacked objects, you have to create a separate address6 FQDN object, which means that you have twice the work and thus we will skip ipv6 since the ipv6 support is simply too bad. No wonder that ipv6 does not advance due to this chicken-egg problem.

---
FloToHu
lobstercreed

I think you've summed up the last 20-30 years perfectly.  I AM doing some IPv6 things and try to design all new networks to run dual-stacked but ultimately it is twice the work, yes.  Just doesn't seem to be worth it. 

 

I tried one time a couple years ago configuring myself as an IPv6 only host and found there were tons of mainstream websites I couldn't get to (Amazon.com, some Google pages, Microsoft.com, and the list goes on) so I decided I would stop spending too much time on IPv6.  It's kind of sad, but also NAT works fine for most people, so I get it.  :\

emnoc
Esteemed Contributor III

ipv6 suport in fortios is very strong if not the strongest in the industry, you just need to know what you are doing ;

 

 

 

SOCPUPFGT02 # diag firewall fqdn6 list

List all FQDN:

youtube.com: ID(95) REF(1) ADDR(2607:f8b0:4000:80b::200e)

 

 config firewall address6

 edit "yt"

        set uuid fb899cca-40fd-51ec-cee5-541d21202217

        set type fqdn

        set fqdn "youtube.com"

end

 

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan