IPV6 how to protect the hosts

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPV6 how to protect the hosts

L3 Networker

Hi everyone, I learn the palo alto firewalls as I configure them.

 

I have a PA firewall with 3 vlans, with management allowed over main vlan.

 

My ISP provided the Ipv6/48 block and I have manage to redistribute it over the networks it works great. However considering eveyr ipv6 address is routable and I naturally have no NAT means that the devices with 443 etc ports in theory can be reached over the internet. the the management of the firewall as well. I did edit the mgmt profile only allow my local ipv4 networks I guess it will protect the firewall however what about the other hosts like voip phones, plex etc

 

is there are rule i can pur in place to build some generic protection like source is all - dest is all, all ports - block, I guess this is something Nat does by default (not that it's built for that )

 

thank you

1 accepted solution

Accepted Solutions

Community Team Member

Hi @nevolex ,

 

If traffic is not specifically allowed or denied by a rule, it will get denied. By default, inter-zone traffic is denied and intra-zone traffic is allowed. If you've configured a wide open security policy before these default policies, I would recommend tightening up your security policies to allow specific source IPs.  Here is a Security Policy Rule Best Practices doc that is very insightful. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

1 REPLY 1

Community Team Member

Hi @nevolex ,

 

If traffic is not specifically allowed or denied by a rule, it will get denied. By default, inter-zone traffic is denied and intra-zone traffic is allowed. If you've configured a wide open security policy before these default policies, I would recommend tightening up your security policies to allow specific source IPs.  Here is a Security Policy Rule Best Practices doc that is very insightful. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
  • 1 accepted solution
  • 899 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!