IPv6 Support on the Palo Alto Networks Firewall

Printer Friendly Page

This article is outdated, please refer to this article for up-to-date information:

IPv6 Support by Feature

 

 

IPv6 Feature Support

Current information for IPv6 support on the Palo Alto Networks firewall is available at the link below. For further information, a link to a white paper on IPv6 is available at the bottom of the page.

Secure IPv6 Environment - Palo Alto Networks

 

IPv6 Feature Support for PAN-OS 4.1 - 7.0

Feature

IPv6 Support

  PAN-OS 4.1 PAN-OS 5.0 PAN-OS 6.0 PAN-OS 6.1 PAN-OS 7.0
App-ID Yes Yes Yes Yes Yes
Content-ID Yes Yes Yes Yes Yes
User-ID No Yes Yes Yes Yes
DoS Rulebase Yes Yes Yes Yes Yes
Zone Protection Yes Yes Yes Yes Yes
SSL Decryption Yes Yes Yes Yes Yes
NAT No NAT64 NAT64 NAT64 NAT64
PBF Yes Yes Yes Yes Yes
QoS Yes Yes Yes Yes Yes
DHCPv6 Relay Yes Yes Yes Yes Yes
DHCPv6 Server No No No No No
DNS Proxy Yes Yes Yes Yes Yes
Dynamic Routing No No OSPFv3 OSPFv3 OSPFv3
SSL VPN No No No No No
IPSec VPN (IPv6 in IPv4 tunnel) No Yes Yes Yes Yes
IPSec VPN (IPv6 tunnel) No No No No Yes
Plaintext Tunneling (6to4, ISATAP, etc) No No No No No
NPTv6 No No No No Yes

 

IPv6 RFCs Support for PAN-OS 5.0

RFC Support (PAN-OS 5.0)
RFC 2460: Internet Protocol, Version 6 (IPv6) Specification  
RFC 5095: Deprecation of Type 0 Routing Headers in IPv6 Provide option to block packets with type 0 routing header in zone protection profile.
RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification Ping from box with link-local address is not supported.
RFC 4861: Neighbor Discovery for IP version 6 (IPv6)  
RFC 4862: IPv6 Stateless Address Autoconfiguration  
RFC 1981: Path MTU Discovery for IP version 6  
RFC 4291: IP Version 6 Addressing Architecture  
RFC 4007: IPv6 Scoped Address Architecture  
RFC 2710: Multicast Listener Discovery (MLD) for IPv6 MLDv1 for ND support
RFC 2711: IPv6 Router Alert Option MLD only
RFC 2464: Transmission of IPv6 Packets over Ethernet Networks Dual stack only.

 

owner: panagent

Tags (8)
Comments

We should update for PAN-OS 6.0.x...

According to my review of the release notes, things we should include are:

** DNS sinkholes

** OSPFv3

From my reading of the release notes up to 6.0.1, those are the additions.  OSPFv3 is a pretty big addition.

Yes, i agree.

An update with IPv6 would be great!

Any news for PAN-OS 6.0?

Hi,

Do you have a support plan for RFC3810 - MLDv2?

Hi,

any plans to support

DHCPv6 Prefix Delegation


This page seems to be a bit outdated and doesn't list PAN-OS 6.1 features.

really needs an update !

hi all,

We will get this document updated.

Thanks,

Emma

I need an update as well.  Specifically looking for DHCPv6 server support.

Any plans on supporting IPv6 in SSLVPN?

 

I actually assumed (yes, my mistake) that GlobalProtect would support IPv6.

This is absurd.

 

 

It would be great if someone could update this page.

 

Thanks

 

GT

Can we get a PPPoE support update please... e.g. not supported.

Prefix delegation is indeed an important IPv6 feature not supported yet by Palo Alto (supported though by most competitors).

Without it I cannot use Ipv6 which my ISP supports natively.  I know there is a feature request. Hopefully this request gets the attention it needs. Thanks !

Why are link-local addresses not supported in the ping command, when they are visible in the neighbour table. This seems rather fundamental to me, especially when link-local addressing is often used in routing statements.

Are there plans to update this document? The table is useful and the link points to a 2015 document.

Is it supported  - IPv4 through IPv6 VPN tunnel?

 

Could you please update document with 8.0 release?

 

 

please refer to this article for latest compatibility matrix : https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/ipv6-support-by-feature

 

only ipv6 over ipv4 tunnel is currently supported