Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
anignan
Staff
Staff

Created on ‎11-20-2023 08:13 AM

Article Id 285156

Technical Tip: How to prevent IPv6 addresses from using NAT64

Description This article describes how to prevent one or more IPv6 addresses from using the NAT64 firewall policy.
Scope All versions of FortiOS.
Solution

There are 2 options to prevent IPv6 addresses from using NAT64 policies

  • In the Virtual IP, specify the range of allowed IPv6 addresses in the source filter. In this screenshot, 2001:ab::20 is not in the range so it will be prevented from usingNAT64:

 

MicrosoftTeams-image.png

 

  • Use an IPv6 address group as a source in the NAT64 firewall with source-negate enabled, which means that all IPv6 addresses will be allowed except for the specified source:

config firewall policy
    edit 1
        set name "nat64"
        set srcintf "port5"
        set dstintf "WAN1"
        set action accept
        set nat64 enable
        set srcaddr6 "2001:ab::20"
        set dstaddr6 "vip64"
        set schedule "always"
        set service "ALL"
        set ippool enable
        set poolname "vip64"
        set srcaddr6-negate enable
    next
end

 

All IPv6 addresses will be allowed except for 2001:ab::20.. It is possible to have a range or a list of IPv6 addresses.

 

Related article:

Simplify NAT46 and NAT64 policy and routing configurations - FortiGate documentation.
260
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.