GlobalProtect and IPv6

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

GlobalProtect and IPv6

L2 Linker

So we're rolling out IPv6 to our network, one thought that just crossed my mind is what kind/if any support for IPv6 does GlobalProtect have?

 

An issue I see is when we start listed AAAA records for internal servers in DNS, external VPN users will get those responses and will try to access those directly (and be denied) unless I can route them over the tunnel.

 

I currently get an error adding a IPv6 range to the gateway config thought I can add an access route to the config for an IPv6 block but after some brief testing it doesn't make it to the client.

 

Any thoughts?

1 accepted solution

Accepted Solutions

Nope.

Slide from v7 201 training course material:

cpipv6.PNG

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

GlobalProtect does not support IPv6.

https://live.paloaltonetworks.com/t5/Learning-Articles/IPv6-Support-on-the-Palo-Alto-Networks-Firewa...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hmm, that's no good. I was hoping it fell under IPSec VPN but I guess that was optimistic.

Nope.

Slide from v7 201 training course material:

cpipv6.PNG

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Hi Guys,

I wanted to continue to on this thread as it's somewhat related. 

 

We have PA-3020 running PAN-ON 6.1.10

We have encountered problems with our staff member who is unable to connect to our Global Protect portal.


Up on investigation we found that the ISP issues IPv6 address(!) 

When the individual goes to "whats my ip" in google, the IP address that shows up is a long IPv6 address and the ISP shows as "Google" 

 

However, when he goes to other website, http://www.whatsmyip.org/ that shows IPv4 

We had a look at our logs, and we can see connection attempts from IPv4 provided.
There is nothing out of ordinary, there are even packets exchanged.

However the user is unable to connect. 

 

We asked him to create an AP from his phone and connect this way and that worked.



Can somebody elaborate on the issues we are experiencing? 
If I were to go to the ISP what should I tell them ? So far, according to them everything works...

 

Any thoughts?

 

Thanks
Mariusz

User has router in between or is directly connected to ISP?

ISP gives out only IPv6 or IPv6 and IPv4 both?

Can user uncheck "IPv6 checkbox" under adapter settings and try then?

Palo has IPv6 enabled or not?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Well,

The ISP of the end user is UPC and the IPv6 is provided by the ISP to the ISP provided router.

test ipv6 results:

 

http://test-ipv6.com/?ip4=37.228.241.77&ip6=2a02:8084:2a60:2000:b02a:14aa:8800:3ca0&a=ok,3438&aaaa=o...

 

 

 

ISP gives out only IPv6 or IPv6 and IPv4 both?

Both I guess.

 

Can user uncheck "IPv6 checkbox" under adapter settings and try then?

Same result, 

 

IPv6 is disabled on PA, we haven't enabled it. 

What IP address would i give it to the interface?  I'd say I'd have to obtain one from ISP before I could enable it on the PA right ? 

I have UPC at home but it does not give out IPv6.

Will chec with them if they can enable it so I could test.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

How is this solved? Solution is showing that Global Protect VPN doesn't support IPv6. Is that it?

The thread started in 2016.
You may want to check out this page now:
Configure GlobalProtect and IPv6 | Palo Alto Networks

  • 1 accepted solution
  • 15150 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!