Fortigate IPv6

From AAISP Support Site
Revision as of 23:59, 17 August 2018 by Reedy (talk | contribs) (clean up, typos fixed: coverd → covered, sucessfully → successfully, useage → usage, ie → i.e. , eg → e.g. (2))

From a customer: Fortinet Fortigate Native IPv6 support on A&A's Network.

Introduction

The Fortinet range of Fortinet/ FortiWifi products are high end security products which are targeted towards corporate security solutions. Fortinet's Unified Threat Management (UTM) solutions are well regarded and provide indepdentedly reviewed and tested levels of protection against numerous threats. In addition to fully stateful firewalls (typical in most consumer products) Fortigate and FortiWifi products support:-

  • Full control of incoming and outgoing traffic flow (i.e. nothing can leave or enter the protected network unless explicitly permitted).
  • Anti-virus protection which can be applied to any firewall flow (removing viruses before traffic hits the end device).
  • Botnet/ Command & Control server mitigation (preventing outgoing and incoming connections from known Botnet/ Command & Control servers).
  • Web Filtering (which allows categories of sites to be allows or blocked. e.g. media streaming sites can be blocked to prevent excess bandwidth usage).
  • Application control (allowing specific applications to be allowed or blocked. e.g. BitTorrents can be blocked to prevent downloads of potentially copyright information)
  • Dynamic updating of services to protect against new threats.
  • Support of entrprise features such as VLAN, QoS, Additional Wireless Access Points and advanced routing configurations.

While these features can be complex to setup they offer excellent levels of granularity, security and filering which make them useful in a larger or more advanced network. Products to support a small business or larger home network would generally be found in the 30-90 series of devices. Further information on Fortinet products can be found at https://www.fortinet.com/products/firewalls/firewall/fortigate-entry-level.html .

Fortigate/ FortiWifi Pre-requisities for IPv6 on A&A ISP

Native IPv6 on A&A's network requires:-

  • WAN Interface Assignment based IA.
  • Delegation of a block of IPv6 addresses based on DHCP-PD

This is described on the A&A website here https://support.aa.net.uk/Category:IPv6

To support this configuration on Fortigate/ Fortinet products requires the 5.6 release which became availabe in early April 2017. This release supports "multiple PPPoE connections on a single interface (Feature 363958)" which allows the A&A native IPv6 config (IA and PD) to be successfully configured. Upgrade to this 5.6 release (or later if available) before attepmting to setup native IPv6 on your Fortigate. Ideally, the setup is probably most easily setup on a default Fortigate/ FortiWifi configuration. Once the native IPv6 interface is setup a new virtual interface will be created which supports the native IPv6 connection as well as the IPv4 connection. On an existing configuration the IPv4 PPPoE configuration on the physical interface will need to be removed to avoid two entries in the IPv4 routing table. In an existing configuration all policies need to be redirected to the new virtual interface once it has been configurated. For a new configuration new firewall polices are directed towards the virtual interface. Lastly, for IPv6 a default static route needs to be set toward the virtual interface. I've not covered the LAN side of the configuration. This configuration depends on your requirements- both stateless configurations (no DHCPv6 server with the client configuring it's IP address based on IPv6 prefix advertisements) and stateful (based on a DHCPv6 server are possible.

Configuration Details

The first two steps need to be completed via CLI. You will need to be able to SSH into your Fortigate/ FortiWifi using Putty or a similar product.

Setup of the virtual WAN port via IA:-

config system pppoe-interface
edit pppoe1
set ipv6 enable
set device port4 

Note that "pppoe1" will be the name of the virtual interface and "port4" will be your WAN port which has the virtual interface associated with it.


Setup of the Prefix Delegation:-

config system interface
edit pppoe1
config ipv6
set ip6-mode dhcp
set dhcp6-prefix-delegation enable
end
next
end

This will allow the prefix (/64 is standard for A&A) to be assigned to the virtual interface.

Static Route

A static route can be set via the Web GUI or via CLI. It is set as follows:-

::/0   (ie all IPv6 addresses)
pppoe1 (the destination virtual port created in steps 1 &2).