IPv6 and IPv4 addresses in same security rule?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPv6 and IPv4 addresses in same security rule?

L2 Linker

is there an issue with doing this - I have a rule set to match any address except one particular IPv4 subnet (ie using the negate function) - works fine.

I added an IPv6 prefix to the rule (still negated) - now the rule negatively matches the v6 address, but no longer the v4 address.  Remove the v6 address from the rule and the v4 address negatively matches again.

I'm therefore assuming I have to keep v4 and v6 rules separate, but I can't find this documented anywhere....

PAN-OS 4.1.3

Liam.

5 REPLIES 5

L2 Linker

I guess this shows the level of interest in v6

I've played around with it a bit more and it appears you can mix v4 and v6 address in a security rule but not if you are doing negative matching in which case the v4 address gets ignored.  Is this a bug, known behaviour, anyone?

Sounds like you should file this as a bug through your sales rep.

I think its still somewhat uncommon with IPv6 and those who did the switch use IPv6 instead of IPv4 (no dualstacking) so they wont stumble into the bug you just found.

There are also methods to use 4to6 and 6to4 if you use devices such as BIG-IP from F5 (among others) so this will also avoid dualstacking on the servers (with 4to6/6to4 your servers can still be IPv4 native and the loadbalancer will take care of the transition).

L5 Sessionator

Please open a Support case so that we can file a bug. This is not an expected behavior.

L6 Presenter

Hi ,

This is a known issue and our team is actively working on the fix for this.

Thanks,

Sandeep T

L2 Linker

Good Day,

 

Please can you let me know if this has been resolved in PANOS 9.1.11-h3?

 

Lance

  • 3930 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!