Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Drop IPv6



I have Comcast as my ISP and am seeing a large amount of "reverse path check failed, drop" messages.  I believe it because there is a rogue device on the Comcast side that is spewing IPv6 at the WAN interface.  I understand it is due to anti-spoofing  but was hoping there is a way to just drop it.  The exact log message looks like this:


"10 27 2015 07:30:29 <LOC7:WARN> date=2015-10-27 time=07:25:01 devname=FortiGate devid=FWF60D logid=0000000006 type=traffic subtype=forward level=warning vd=root srcip=2001:558:4082:38::1 srcname="2001:558:4082:38::1" srcintf="wan1" dstip=ff02::1:ff1a:4566 dstname="ff02::1:ff1a:4566" dstintf=unknown-0 proto=58 action=deny policyid=0 dstcountry="Reserved" srccountry="United States" trandisp=noop service="icmp6/135/0" duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 msg="reverse path check failed, drop"


Is there a way to drop this message without logging it?  I want to log other invalid IPv4 packets but just not this IPv6 stuff.  Any ideas?


TIA, Joe

Esteemed Contributor III

A suggestion, can you write a local-in policy6 for this source or dest { ff02::1:ff1a:4566 } and drop it?


(e.g assuming you have a group with all of the offenders listed  and the host added in )


config firewall address6

   edit badhost1

        set ip6 2001:558:4082:38::1/64



config firewall addrgrp6


        set member badhost1

        set comment " my bad guy lists"

        set color 32





config firewall  local-in-policy6 edit 0  set srcaddr OFFENDER_GROUP  set dstaddr all  set action deny  set service ALL  set schedule always  set comment " drop these src ipv6 address SOCPUPPETS" end


I believe traffic dropped at the  local-in-policy6 would overrride any logging. Test this behavior and see if it meets your goal and requirements.



What is the ipv6 address on your WAN  & LAN interfaces? And you do know that's a ipv6 multicast dst_address ?