Palo Alto Networks provides information on how to configure GlobalProtect and IPv6. Our community experts dive into some challenges and solutions on how to resolve them with some tips and tricks. Find answers on LIVEcommunity.
Let's talk about configuring IPv6 with GlobalProtect!
With more ISPs starting to offer only IPv6 IP addresses, the need to have GlobalProtect work with IPv6 has become increasingly important. GlobalProtect gives you the ability to use IPv6 as a standard feature, and we'll show you how to make it happen.
ISPs are starting to issue only IPv6 addresses
Tunnels cannot be brought up if IPv6 is not supported on both the client and the VPN concentrator
In dual stack scenarios, only IPv4 tunnels can exist
IPv6 traffic cannot be tunneled, it will not be inspected by the gateway. It will be routed through the IPv6 default gateway
Both remote users and LSVPN are affected
Implement support for IPv6 for the GlobalProtect portal, gateway, GlobalProtect client (agent), GlobalProtect app and satellite:
Tunnel endpoints are IPv6 capable
IPv6 user traffic can be routed through the tunnel
Basic Concepts for IPv4 and IPv6 and GlobalProtect
As shown above, SSL connections to the portal (from a single client) are using either IPv4 or IPv6. "Outermost" header of the packets to and from the gateway are either IPv4 or IPv6. A single tunnel is brought up, using either IPv4 or IPv6 IP addresses as endpoints. Inside the tunnel, both IPv4 and IPv6 traffic can be encapsulated and associated with a tunnel. X interfaces need to have both IPv4 and IPv6 addresses.
Gateway IP address can be IPv4, IPv6, or both
IP pools can be IPv4, IPv6, or both
For GlobalProtect client, existence of IPv4 pool is mandatory regardless of whether IPv4 is tunneled
For satellite, there is no limitation
Include/exclude accept both IPv4 and IPv6 subnets
Access routes and route filters (satellite config) accept both IPv4 and IPv6 addresses
Portal setting can accept both IPv4 and IPv6 addresses
For GP client, IPv6 address needs to be enclosed in square brackets: [ ]
On satellite, tunnel interface needs to have IPv6 enabled for IPv6 traffic to be tunneled to the gateway
On satellite, IPv4 and IPv6 routes can be published
If the same portal/gateway may be accessed on both IPv4 and IPv6 address, then the certificate typically has an IPv4 address as CN (Subject) and IPv6 address as an IP in the Subject Alternative Name
Best practice – Use FQDN to access the portal/gateway and have it as CN of the certificate
May also have IPv4 and/or IPv6 addresses in SubAltName
OCSP responder can be configured as IPv6 address
Tunnel Interface Changes
Tunnel interface configuration affects what (type of) traffic will be tunneled
IPv6 should be enabled in order for IPv6 traffic to be tunneled
NOTE: This feature requires a GlobalProtect Gateway license No commit warning is issued if the feature is configured in absence of a gateway license
Follow the steps below for the minimal configuration needed for establishing a IPv6 GP connection and for tunneling IPv6 traffic:
Enable IPv6 on the interface used for GP gateway and configure an IP address. Network > Interfaces > Ethernet
Configure the gateway to use the IPv6 interface address. (Network > GlobalProtect > Gateways) The IP Address Type (family) can be: IPv4 Only, IPv6 Only or IPv4 and IPv6. GlobalProtect Gateway ConfigurationGlobalProtect Gateway Configuration General
Provide gateway's IPv6 address in the portal configuration. Network > GlobalProtect > Portals The IP Address Type (family) can be: IPv4 Only, IPv6 Only orIPv4 and IPv6. GlobalProtect Portal Configuration General
Portal Configuration – External Gateways
To properly configure the external gateway information for the portal config, navigate to: Network > GlobalProtect > Portals > Portal profile > Agent tab > Agent config profile > External tab
Make sure that you add both IPv4 and IPv6 addresses.
NOTE: Gateway selection based on source location for IPv6 is NOT supported.
GlobalProtect Configs External tab
(Optional) Set the preference for IPv6 (if both IPv4 and IPv6 addresses are present)
If you select the IPv6 Preferred checkbox, this determines which family to try first when connecting to the gateway when both families are available. GlobalProtect Portal Configuration Gateways tab Satellite Gateway