This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

IPV6 how to protect the hosts

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPV6 how to protect the hosts

Go to solution
nevolex
L3 Networker

‎11-06-2023 10:09 PM

Hi everyone, I learn the palo alto firewalls as I configure them.

 

I have a PA firewall with 3 vlans, with management allowed over main vlan.

 

My ISP provided the Ipv6/48 block and I have manage to redistribute it over the networks it works great. However considering eveyr ipv6 address is routable and I naturally have no NAT means that the devices with 443 etc ports in theory can be reached over the internet. the the management of the firewall as well. I did edit the mgmt profile only allow my local ipv4 networks I guess it will protect the firewall however what about the other hosts like voip phones, plex etc

 

is there are rule i can pur in place to build some generic protection like source is all - dest is all, all ports - block, I guess this is something Nat does by default (not that it's built for that )

 

thank you

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
JayGolf
Community Team Member

‎11-08-2023 07:22 AM

Hi @nevolex ,

 

If traffic is not specifically allowed or denied by a rule, it will get denied. By default, inter-zone traffic is denied and intra-zone traffic is allowed. If you've configured a wide open security policy before these default policies, I would recommend tightening up your security policies to allow specific source IPs.  Here is a Security Policy Rule Best Practices doc that is very insightful. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

(1)
1 REPLY 1

Go to solution
JayGolf
Community Team Member

‎11-08-2023 07:22 AM

Hi @nevolex ,

 

If traffic is not specifically allowed or denied by a rule, it will get denied. By default, inter-zone traffic is denied and intra-zone traffic is allowed. If you've configured a wide open security policy before these default policies, I would recommend tightening up your security policies to allow specific source IPs.  Here is a Security Policy Rule Best Practices doc that is very insightful. 

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
(1)
  • 1 accepted solution
  • 524 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks