topic Re: Firewall rules for IPv6 targets in General Topics

Firewall rules for IPv6 targets

Dereje — Tue, 24 Jan 2023 15:19:08 GMT

We are trying to implement IPv6 in our network, and as part of this deployment all our network resources should run on dual-stack (IPv4 & IPv6). Address objects Types in our firewall policy rules have been written based on IP (IP Netmask and IP Range), not with FQDN.

(Option 1) To make the same firewall policy rule be used (for Ipv4 and IPv6 targets), we need to convert each address objects into FQDN or (Option 2) we have to create a duplicate firewall policy rule with IPv6 targets or add the corresponding IPv6 address object to each firewall rules). What do you think which option we need to go with?

Thank you

Re: Firewall rules for IPv6 targets

Metgatz — Wed, 25 Jan 2023 00:28:49 GMT

Hello @Dereje

First thinking as always in a possible and safe rollback to use ipv4, I would consider the best option to clone the rules and add the ipv6 sources and destinations.

Having differentiated rules allows you to have a better tracking, review in log monitoring and check the correct hits of these.

Regards

Re: Firewall rules for IPv6 targets

kat3xx — Wed, 25 Jan 2023 12:41:43 GMT

I suggest a combination of both with using FQDNs while still having separate security policies for IPv4 and IPv6 to allow for better visibility in your logging.

Re: Firewall rules for IPv6 targets

PavelK — Wed, 25 Jan 2023 22:44:36 GMT

Hello @Dereje

we are currently in similar situation, however our goal is to move to IPv6 native instead of dual stack. Although, I do not think I can give you an answer whether to go with option 1 or 2, I would like to share a few points.

- For duplication of the rules if you have any IPv4 rule with GEO location, you will not be able to have exact the same equivalent as currently there is no support for IPv6 GEO database. There is a feature request for it: #2865.

- Watch out for User-ID mapping if your IPv4 rules are leveraging source user information and you will duplicate this setting to IPv6 rules. This part caused some delay with deployment in our case, as additional tuning, troubleshooting and testing was required.

- During migration process, we ended up with duplicating of existing IPv4 rules into IPv6, however since deployment of IPv6 apart of business reasons presented a chance of re-design of almost everything for IP addressing, routing design, policies, we aimed to duplicated only standardized policies through Panorama. All legacy local exceptions were not duplicated in an effort to declutter policies. After you enable dual stack end to end, your endpoints will in most cases prefer IPv6 over IPv4, so new IPv6 rules will likely get more hits. This might be a good chance to clean/tune up some of the policies.

Kind Regards

Pavel

Re: Firewall rules for IPv6 targets

Dereje — Fri, 27 Jan 2023 21:24:39 GMT

Thank you for the response and the shared idea. We have the same idea of cloning the rule and modifying it for only v6 rule, but having thousands of rules, cloning that many rules is a daunting task unless we come up with some form of automation.