IPv6 Firewall Policies

If you have IPv6 connectivity, you need IPv6 firewall policies — they're separate from IPv4 policies. An IPv4 policy DOES NOT cover IPv6 traffic. Many breaches happen on IPv6 because admins forgot to lock down IPv6.

Before You Start

• IPv6 is configured on the relevant interfaces (assigned addresses, gateway).
• You understand IPv6 addressing basics (/64 per LAN, ULAs, link-local, etc.).
• You've decided your IPv6 default policy: open (like IPv4) or restrictive.

Enable IPv6 Visibility in the GUI

1. System → Feature Visibility.
2. Toggle IPv6 on.
3. Apply.

This adds IPv6 Policy under Policy & Objects.

Steps

1. Policy & Objects → IPv6 Policy → + Create New.
2. Fill in (mirrors IPv4 policy form):
   • Name — e.g. LAN-to-WAN-IPv6.
   • Incoming Interface / Outgoing Interface.
   • Source — IPv6 address object (or all).
   • Destination — IPv6 address object (or all).
   • Schedule — always.
   • Service — IPv6 service (most service objects work for both, but a few are v4-only).
   • Action — Accept / Deny.
   • NAT — typically OFF for IPv6 (the point of IPv6 is no NAT). Use NAT66 (NAT IPv6-to-IPv6) only in special cases.
   • Logging / Security Profiles — same as IPv4.
3. OK.

CLI Equivalent

config firewall policy6
edit 0
    set name "LAN-to-WAN-IPv6"
    set srcintf "internal"
    set dstintf "wan1"
    set srcaddr "all"
    set dstaddr "all"
    set action accept
    set schedule "always"
    set service "ALL"
    set logtraffic all
next
end

ICMPv6 — Don't Block Indiscriminately

IPv6 depends on ICMPv6 for many operations: neighbor discovery (replaces ARP), path MTU discovery, router advertisements. Blocking all ICMPv6 breaks IPv6. The default policy should permit at least:

• Echo Request / Echo Reply
• Neighbor Solicitation / Advertisement
• Router Solicitation / Advertisement
• Packet Too Big
• Time Exceeded

FortiOS handles most ICMPv6 automatically on interfaces, but be cautious with broad deny rules.

Verify

From an IPv6-enabled client:

ping6 google.com           # or ping -6 on Windows
curl -6 https://ifconfig.co

On FortiGate:

get system interface | grep "ip6"
diagnose ipv6 address list
diagnose ipv6 route list

Common Issues

• IPv4 works, IPv6 doesn't, even with policies. IPv6 routing missing. Need an IPv6 default route (::/0 via gateway).
• Implicit deny on IPv6. Just like IPv4 — if no policy matches, traffic dies. Need at least one ACCEPT.
• Clients get IPv6 from RA but can't ping. Router Advertisements working but firewall policy missing.
• NAT66 confusion. IPv6 was designed without NAT. Use NAT66 only when you must hide internal IPv6 addressing (rare).
• Address objects: separate IPv4/IPv6. Don't try to reference an IPv4 address object in an IPv6 policy. Create dedicated IPv6 address objects.

Related Pages

• Add a Firewall Policy
• Configure a Network Interface
• Create Address Objects