Fortinet got quite an advanced IPv6 implementation. Unfortunately it is not possible to assign an IPS sensor to a policy in the current releases. The good thing is, you can do it anyway. But you have to create an interface policy on the command line:

This is how it works:

config firewall interface-policy6
    edit 1
        set interface "port5"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set service6 "HTTP"
        set ips-sensor-status enable
        set ips-sensor "WEB-ips"
    next
end

Like that you create a sensor per interface and not per policy. Much better then nothing, right?

If you create a Fortigate HA Cluster, you got an option “Reserve Management Port for Cluster Member” which you can activate. If active you can select an interface for this option.

This is a nice feature.

Like that you can assign an IP address to an interface, which is not synchronized. Every machine got it’s own IP address. This is very helpful, if you got virtual clusters with different masters. It also helps to monitor the CPU and memory of a subordinate device.

Again, there is much more you can do on the command line, then on the guy:

First you activate the feature:

config system ha
     set ha-mgmt-status enable
     set ha-mgmt-interface wan2
     set ha-mgmt-interface-gateway 10.11.101.100
end

Then you assign an individual IP address to every node in the cluster:

config system interface
	edit wan2
	set ip 10.11.101.101/24
	set allow access https ping ssh snmp
end

config system interface
	edit wan2
	set ip 10.11.101.102/24
	set allow access https ping ssh snmp
end

That’s it. Now you can easily access every single machine in the cluster.

Fortigate got some very good diagnostics on there firewalls. There is a hole branch of the command tree, that starts with

diagnose or short diag

On of the commands often used is

diagnose sys top [refresh] [num of procs]

This command keeps running like the ‘top’ command on Unix like systems. As options you can specify the refresh time in seconds and the number of processes to be displayed.

The output on Fortinet is something like:

Run Time:  1 days, 11 hours and 5 minutes
0U, 2S, 97I; 440T, 124F, 138KF
          newcli    22601      R       1.1     3.2
            sshd    22593      S       1.1     2.5
          ospf6d       42      S       0.1     0.5
       ipsengine      355      S <     0.0    29.8
          httpsd       81      S       0.0     4.3
         cmdbsvr       20      S       0.0     4.3
          httpsd       90      S       0.0     4.2
          httpsd       40      S       0.0     3.6
           fgfmd       78      S       0.0     3.2
       scanunitd      639      S <     0.0     3.2
          newcli    22597      S       0.0     3.2

While the line ‘Run Time’ is quite obvious, the next line is quite cryptic.

The next line, with 0U, 2S, 97I … means

U – Userspace CPU usage in %

S – CPU usage in % of System processes (Kernel)

I – CPU idle in %

The second part of this line informs about memory usage:

440T – you got a total of 440MB memory

124F – there are still 124MB free memory

138KF – the amount of shared memory pages used

The line ‘newcli 22601 R 1.1 3.2‘ tells you:

newcli – the name of the process

22601 – the process ID

R – Running, can also be S like sleeping

1.1 – using 1.1% CPU

3.2 – using 3.2% of the memory

Unfortunately Fortigate still does not support PPPoe with IPv6. If you have a DSL connection it does work with IPv4, but not with IPv6. The workaround is: Connect yourself with IPv4 and PPPoe and request from a tunnel provider like www.sixxs.net a tunnel and later a IPv6 subnet.

The configuration on the Fortigate for the sit-tunnel looks like this:

config system sit-tunnel
edit "sixxs-tun"
    set destination 12.34.56.78
    set interface wan1
    set ip6 2001:dead:babe:c5::2/64
    set source 98.76.54.32
end
config system interface
edit "sixxs-tun"
    config ipv6
        set ip6-allowaccess ping
    end
end
config router static6
edit 1
    set device "sixxs-tun"
end

The IP address 12.34.56.78 is the remote tunnel address of your POP.

The IP address 98.76.54.32 is the IP address of your external IPv4 interface.

The IP address 2001:dead:babe:c5::2/64 is the IPv6 address, you got from your tunnel provider.

Now you can use the interface sixxs-tun as your IPv6 connection and gateway.

If you want to know all possible commands from the command line of your Fortigate firewall, then log in using SSH and type the following command:

tree

Now you get the complete command tree with all options and all choices.