topic IPV6 how to protect the hosts in General Topics https://live.paloaltonetworks.com/t5/general-topics/ipv6-how-to-protect-the-hosts/m-p/564590#M114244 <P>Hi everyone, I learn the palo alto firewalls as I configure them.</P> <P>&nbsp;</P> <P>I have a PA firewall with 3 vlans, with management allowed over main vlan.</P> <P>&nbsp;</P> <P>My ISP provided the Ipv6/48 block and I have manage to redistribute it over the networks it works great. However considering eveyr ipv6 address is routable and I naturally have no NAT means that the devices with 443 etc ports in theory can be reached over the internet. the the management of the firewall as well. I did edit the mgmt profile only allow my local ipv4 networks I guess it will protect the firewall however what about the other hosts like voip phones, plex etc</P> <P>&nbsp;</P> <P>is there are rule i can pur in place to build some generic protection like source is all - dest is all, all ports - block, I guess this is something Nat does by default (not that it's built for that )</P> <P>&nbsp;</P> <P>thank you</P> Tue, 07 Nov 2023 06:09:15 GMT nevolex 2023-11-07T06:09:15Z IPV6 how to protect the hosts https://live.paloaltonetworks.com/t5/general-topics/ipv6-how-to-protect-the-hosts/m-p/564590#M114244 <P>Hi everyone, I learn the palo alto firewalls as I configure them.</P> <P>&nbsp;</P> <P>I have a PA firewall with 3 vlans, with management allowed over main vlan.</P> <P>&nbsp;</P> <P>My ISP provided the Ipv6/48 block and I have manage to redistribute it over the networks it works great. However considering eveyr ipv6 address is routable and I naturally have no NAT means that the devices with 443 etc ports in theory can be reached over the internet. the the management of the firewall as well. I did edit the mgmt profile only allow my local ipv4 networks I guess it will protect the firewall however what about the other hosts like voip phones, plex etc</P> <P>&nbsp;</P> <P>is there are rule i can pur in place to build some generic protection like source is all - dest is all, all ports - block, I guess this is something Nat does by default (not that it's built for that )</P> <P>&nbsp;</P> <P>thank you</P> Tue, 07 Nov 2023 06:09:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ipv6-how-to-protect-the-hosts/m-p/564590#M114244 nevolex 2023-11-07T06:09:15Z Re: IPV6 how to protect the hosts https://live.paloaltonetworks.com/t5/general-topics/ipv6-how-to-protect-the-hosts/m-p/564821#M114274 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/280122">@nevolex</a>&nbsp;,</P> <P>&nbsp;</P> <P>If traffic is not specifically allowed or denied by a rule, it will get denied. By default, inter-zone traffic is denied and intra-zone traffic is allowed. If you've configured a wide open security policy before these default policies, I would recommend tightening up your security policies to allow specific source IPs.&nbsp; Here is a <A href="https://docs.paloaltonetworks.com/best-practices/security-policy-best-practices/security-policy-best-practices/deploy-security-policy-best-practices/security-policy-rule-best-practices#:~:text=When%20traffic%20matches%20a%20rule's,the%20traffic%20(implicit%20deny)." target="_self">Security Policy Rule Best Practices</A> doc that is very insightful.&nbsp;</P> Wed, 08 Nov 2023 15:22:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ipv6-how-to-protect-the-hosts/m-p/564821#M114274 JayGolf 2023-11-08T15:22:23Z