Hello, we are planning to implement dual stack for Forticlient SSLVPN users. (FortiOS 7.0.14, Forticlient 7.0.7 free version)
We are aware that when using dual stack the firewall policies MUST be configured with both IPv4 and IPv6 stacks.
We have an SSL pool of addresses for IPv4 and another SSL pool of addresses for IPv6.
Questions:
1) - Does forticlient get both an IPv4 and an IPv6 when connected? (Dual stack enabled in Forticlient)
2)- Since NAT is required for IPv4 to work (in example: SSLVPN -> Internet ), how is IPv6 traffic handled?
Do you require to also use an IPv6 address in the outbound firewall rule to NAT the outgoing traffic?
Thanks
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello edson2024,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello edson2024,
We are still looking for someone to help you.
We will come back to you ASAP.
Regards,
Hello edson 2024,
Did you have a look at this document?:
Tell me if it helping. If not, we will continue to investigate.
Regards,
Hi.. yes, i had a look into that document, it does not address the issue... We are not using (or planning to use) the "Enabled based on policy destination" option, for us, Split tunneling is disabled and the policies will be source All destination All...
thanks
Hello edson,
Oh ok! We will continue to have a look then.
Regards,
hi, anything? ... it cannot be that complex
Hi edson2024,
1) Yes, FCT does get both ipv4 and ipv6 when dual stack enabled, albeit in FCT GUI it will only show ipv4 IP it gets.
2) As it is full tunnel, I'd reckon you will need to include ipv6 address in FW policy.
Per the dual-stack referenced, you would enable Dual-Stack on the FortiGate VPN Gateway setup as well as in the EMS FortiClient setup. If NAT is enabled on the dual-stack Firewall Policy, it enables both IPv4 NAT and IPv6 NAT66 (both enabled by default when selecting NAT option), thus NAT sources from the egress interface's IP address (IPv4/6 address election depends on if the client initiates traffic on IPv4 or IPv6). There are other NAT options, such as: NAT46, NAT64, NAT Pools or you could choose to setup central NAT...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.