What's new for IPv6 in FortiOS 5.4
New features in 5.4.0
DHCPv6 server is configurable in delegated mode (295007)
Downstream IPv6 interfaces can receive address assignments on delegated subnets from a DHCP server that serves an upstream interface.
Enable DHCPv6 Prefix Delegation on upstream interface (port10):
config system interface edit "port10" config ipv6 set dhcp6-prefix-delegation enable end end
Assign delegated prefix on downstream interface (port1). Optionally, specific delegated prefixes can be specified:
config system interface edit "port1" config ipv6 set ip6-mode delegated set ip6-upstream-interface "port10" set ip6-subnet ::1:0:0:0:1/64 set ip6-send-adv enable config ipv6-delegated-prefix-list edit 1 set upstream-interface "port10" set autonomous-flag enable set onlink-flag enable set subnet 0:0:0:100::/64 end end end
DHCPv6 Server configuration
Configuring a server that uses delegated prefix and DNS from upstream:
config system dhcp6 server edit 1 set dns-service delegated set interface "wan2" set upstream-interface "wan1" set ip-mode delegated set subnet 0:0:0:102::/64 end
FortiGate can connect to FortiAnalyzer using IPv6 addresses (245620)
When configuring your FortiGate to send logs to a FortiAnalyzer you can specify an IPv4 or an IPv6 address.
IPv6 neighbor discovery limits changes(248076)
You can use the following command to configure the maximum number of IPv6 neighbors that can be discovered by the IPv6 Neighbor Discovery Protocol (NDP) and added to the IPv6 neighbor database.
config system global
set ndp-max-entry <integer>
The number of entries can be in the range 65,536 to 2,147,483,647. The default value of 0 means 65,536 entries.
Support IPv6 blackhole routing (220101)
Similar to IPv4 blackhole routing, IPv6 blackhole routing is now supported. Use the following command to enable IPv6 blackhole routing:
config router static6
set blackhole enable/disable
TFTP session helper for IPv6 (263127)
TFTP is supported over nat66 and nat46.
FTP, PPTP and RTSP session helper enhancements for IPv6 (244986)
The FTP, PPTP and RTSP session helpers support NAT-64 customer-side translator (CLAT) sessions.
Central Management ratings and update servers can use IPv6 addresses (297144)
You can configure servers for Central Management using either IPv4 or IPv6 addresses. The addr-type field sets the address type. The address is entered in the server-address or server-address6 field as appropriate.
config system central-management
set type fortimanager
set fmg "2000:172:16:200::207"
set vdom "vdom1"
set server-type rating update
set addr-type ipv6
set server-address6 2000:172:16:200::207
Allow asymmetric routing for ICMP (258734)
Where network topology requires asymmetric routing for ICMP traffic, you can configure the FortiGate to permit the asymmetric ICMP traffic. This is done in the CLI. There are separate fields for IPv4 and IPv6 versions of ICMP.
config system settings
set asymroute-icmp enable
set asymroute-icmp6 enable