FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmoya
Staff
Staff
Article Id 194794
Description
UTM is not available on NAT64 policies, so a native IPv6 VDOM is required.

This article describes how to apply UTM to NAT64 traffic.

Solution
To accomplish UTM filtering, use VDOMs:
IPv6 VDOM, using simple IPv6 policies with UTM profiles and routing traffic to the VDOM with access to IPv4 Internet using an IPv6 vdom-link.
In the VDOM with IPv4 Internet access apply NAT64 policies.

Initial considerations:

- Vdom root has Internet access.
- Vdom TransIPv6 is the VDOM with native IPv6 networks/support.
- Some configuration on interfaces are omitted as it depends on platform (physical or VLAN interface).

- Create a transit VDOM


# config vdom
   
edit TransIPv6
    end

- Create Inter-VDOM link

# config global
# config system vdom-link 
     edit "ip64"
     next
     end

# config system interface
    edit "ip640"
        set vdom "TransIPv6"
        set type vdom-link
        config ipv6
            set ip6-allowaccess ping
            set ip6-address 2001:470:4b:37c:1000::1/72
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-other-flag enable
            config ip6-prefix-list
                edit 2001:470:4b:37c::/64
            next
        end
    end
    next

    edit "ip641"
           set vdom "root"
           set type vdom-link
      config ipv6
            set ip6-allowaccess ping
            set ip6-address 2001:470:4b:37c:1000::2/72
            set ip6-send-adv enable
            set ip6-manage-flag enable
            set ip6-other-flag enable
       config ip6-prefix-list
    edit 2001:470:4b:37c::/64
            next
      end
    end
    next

    edit "LAN"
         set vdom "TransIPv6"
         config ipv6
             set ip6-allowaccess ping
             set ip6-address 2001:470:4b:37c::1/72
             set ip6-send-adv enable
             set ip6-manage-flag enable
             set ip6-other-flag enable
             config ip6-prefix-list
                edit 2001:470:4b:37c::/72
                next
             end
        end
    next
   
    edit "WAN"
        set vdom "root"
        set ip 201.123.235.1 255.255.255.0
        set allowaccess ping https
        set vlanforward enable
        set type physical
        set snmp-index 31
    next
 end

- Configure Transit VDOM network settings

# config vdom
    edit TransIPv6
    config system dhcp6 server
    edit 1
         set rapid-commit enable
         set lease-time 300
         set interface "LAN"
    config ip-range
    edit 1
         set start-ip 2001:470:4b:37c::1000
         set end-ip 2001:470:4b:37c::100a
    next
    end
         set dns-server1 2001:470:4b:37c:1000::2
    next
    end
    config router static6
    edit 1
        set gateway 2001:470:4b:37c:1000::2
        set device "ip640"
    next
    end

    # config firewall policy6
        edit 1
            set srcintf "LAN"
            set dstintf "ip640"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set webfilter-profile "myWebFilter"
            set profile-protocol-options "default"
            set ssl-ssh-profile "deep-inspection"
        next
        edit 2
            set srcintf "ip640"
            set dstintf "DMZ"
            set srcaddr "all"
            set dstaddr "my_6server"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ips-profile "protect_server"
            set profile-protocol-options "default"
            set ssl-ssh-profile "certificate-inspection"
        next
    end
end

- Configure root VDOM network settings

# config vdom
    edit root
        config system nat64
            set status enable
        end
        config system dns-server
        edit "ip641"
        next
        end
        config firewall address6
        edit "l_IPv6"
            set ip6 2001:470:4b:37c::/72
        next
        end
        config firewall ippool
            edit "nat64_pool"
                set type port-block-allocation
                set startip 201.123.235.10
                set endip 201.123.235.50
            next
            end
            config router static6
            edit 1
                set dst 2001:470:4b:37c::/72
                set gateway 2001:470:4b:37c:1000::1
                set device "ip641"
            next
            end
       
        # config firewall policy64
            edit 1
                set srcintf "ip641"
                set dstintf "WAN"
                set srcaddr "l_IPv6"
                set dstaddr "all"
                set action accept
                set schedule "always"
                set service "ALL"
                set ippool enable
                set poolname "nat64_pool"
            next
        end
       
        # config firewall policy64
            edit 1
                set srcintf "WAN"
                set dstintf "ip641"
                set srcaddr "all"
                set dstaddr "server_VIP64"
                set action accept
                set schedule "always"
                set service "ALL"
                set nat enable
            next
       end




Contributors