03-06-2012 03:33 AM
is there an issue with doing this - I have a rule set to match any address except one particular IPv4 subnet (ie using the negate function) - works fine.
I added an IPv6 prefix to the rule (still negated) - now the rule negatively matches the v6 address, but no longer the v4 address. Remove the v6 address from the rule and the v4 address negatively matches again.
I'm therefore assuming I have to keep v4 and v6 rules separate, but I can't find this documented anywhere....
PAN-OS 4.1.3
Liam.
03-09-2012 03:59 AM
I guess this shows the level of interest in v6
I've played around with it a bit more and it appears you can mix v4 and v6 address in a security rule but not if you are doing negative matching in which case the v4 address gets ignored. Is this a bug, known behaviour, anyone?
03-09-2012 03:28 PM
Sounds like you should file this as a bug through your sales rep.
I think its still somewhat uncommon with IPv6 and those who did the switch use IPv6 instead of IPv4 (no dualstacking) so they wont stumble into the bug you just found.
There are also methods to use 4to6 and 6to4 if you use devices such as BIG-IP from F5 (among others) so this will also avoid dualstacking on the servers (with 4to6/6to4 your servers can still be IPv4 native and the loadbalancer will take care of the transition).
09-06-2012 03:20 PM
Please open a Support case so that we can file a bug. This is not an expected behavior.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
