GlobalProtect and IPv6

Reply
Highlighted
L2 Linker

GlobalProtect and IPv6

So we're rolling out IPv6 to our network, one thought that just crossed my mind is what kind/if any support for IPv6 does GlobalProtect have?

 

An issue I see is when we start listed AAAA records for internal servers in DNS, external VPN users will get those responses and will try to access those directly (and be denied) unless I can route them over the tunnel.

 

I currently get an error adding a IPv6 range to the gateway config thought I can add an access route to the config for an IPv6 block but after some brief testing it doesn't make it to the client.

 

Any thoughts?


Accepted Solutions
Highlighted
L7 Applicator

Nope.

Slide from v7 201 training course material:

cpipv6.PNG

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post


All Replies
Highlighted
L7 Applicator

GlobalProtect does not support IPv6.

https://live.paloaltonetworks.com/t5/Learning-Articles/IPv6-Support-on-the-Palo-Alto-Networks-Firewa...

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
L2 Linker

Hmm, that's no good. I was hoping it fell under IPSec VPN but I guess that was optimistic.

Highlighted
L7 Applicator

Nope.

Slide from v7 201 training course material:

cpipv6.PNG

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

View solution in original post

Highlighted
L2 Linker

Hi Guys,

I wanted to continue to on this thread as it's somewhat related. 

 

We have PA-3020 running PAN-ON 6.1.10

We have encountered problems with our staff member who is unable to connect to our Global Protect portal.


Up on investigation we found that the ISP issues IPv6 address(!) 

When the individual goes to "whats my ip" in google, the IP address that shows up is a long IPv6 address and the ISP shows as "Google" 

 

However, when he goes to other website, http://www.whatsmyip.org/ that shows IPv4 

We had a look at our logs, and we can see connection attempts from IPv4 provided.
There is nothing out of ordinary, there are even packets exchanged.

However the user is unable to connect. 

 

We asked him to create an AP from his phone and connect this way and that worked.



Can somebody elaborate on the issues we are experiencing? 
If I were to go to the ISP what should I tell them ? So far, according to them everything works...

 

Any thoughts?

 

Thanks
Mariusz

Highlighted
L7 Applicator

User has router in between or is directly connected to ISP?

ISP gives out only IPv6 or IPv6 and IPv4 both?

Can user uncheck "IPv6 checkbox" under adapter settings and try then?

Palo has IPv6 enabled or not?

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L2 Linker

Well,

The ISP of the end user is UPC and the IPv6 is provided by the ISP to the ISP provided router.

test ipv6 results:

 

http://test-ipv6.com/?ip4=37.228.241.77&ip6=2a02:8084:2a60:2000:b02a:14aa:8800:3ca0&a=ok,3438&aaaa=o...

 

 

 

ISP gives out only IPv6 or IPv6 and IPv4 both?

Both I guess.

 

Can user uncheck "IPv6 checkbox" under adapter settings and try then?

Same result, 

 

IPv6 is disabled on PA, we haven't enabled it. 

What IP address would i give it to the interface?  I'd say I'd have to obtain one from ISP before I could enable it on the PA right ? 

Highlighted
L7 Applicator

I have UPC at home but it does not give out IPv6.

Will chec with them if they can enable it so I could test.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L2 Linker

How is this solved? Solution is showing that Global Protect VPN doesn't support IPv6. Is that it?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!