FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vprabhu_FTNT
Staff
Staff

Description


The Fortinet DNS can resolve FortiGuard related servers to both IPv4 and IPv6 addresses.
FortiOS daemons (update, forticldd, url) connect using either IPv4 or IPv6 addresses.
The first available connection will be used for updates or the rating service.

This article describes how to configure an interface and route for IPv6.

Scope


For version 6.2.2.

Solution


To configure an interface and route for IPv6.

# config system interface
    edit "wan1"
        set vdom "root"
        config ipv6
            set ip6-address 2000:172:16:200::1/64
        end
    next
end
# config router static6
    edit 1
        set gateway 2000:172:16:200::254
        set device "wan1"
    next
end

To configure push updates.

# config system autoupdate push-update
    set status enable
    set override enable
    set address "2620:101:9005:3860::94"
end

To update through Fortiguard, issue command ‘# exec update-now’.

Troubleshooting steps:


1) Verify that a valid current contract is registered against FortiGate. The registration code/contract number may be registered at https://support.fortinet.com after purchase.


2) Create a firewall policy that includes a UTM profile and FortiGuard web filtering.


3) After activation, the FortiGuard network will transmit the contract information to all servers, which might take up to 48 hours. If the contract was activated during the last day, you should indeed wait 24 hours before proceeding.

 

When we are certain that the servers have the right contract information; the FortiGate is just not receiving it. The first test to do is:

 

# exec ping6 2620:101:9005:3860::94

 

4) If the ping fails, the FortiGate cannot connect to the internet. Aside from the possibility that the FortiGate is not even connected to the Internet, the most prevalent issue here is that the FortiGate is sending all of its locally produced traffic (think update requests and pings) over a VPN tunnel or the incorrect interface.

 

The following commands can assist you in troubleshooting:

 

# diag debug reset
# diag debug enable
# diag debug flow show console enable
# diag debug flow show function-name enable
# diag debug flow filter6 addr 2620:101:9005:3860::94
# diag debug flow trace start6 1000
# exec ping6 2620:101:9005:3860::94

 

The output will show the route the packet is using as well as any VPN tunnels.
If the traffic is indeed going through a VPN tunnel, edit the Firewall policy for the VPN tunnel and change the source and destination addresses to match the source and destination subnets.

 

Once the test is complete, the debug outputs should be disabled by using the commands:


# diag debug disable

 

5) If the issue is still not fixed, the following commands can be used to collect debug and Sniffer information:

 

# diag debug enable
# diag debug application update 255
# exec update-now

# di sniffer packet any "host 2620:101:9005:3860::94" 6 0 l

 

If the issue has not been addressed, file a ticket with Fortinet support to aid with troubleshooting.
Include the results of every other previous debug command.