IPv6 is support is available on the following devices.
- N-Platform (660N, 1400N, 2500N, 5100N, 6100N)
- NX-Platform (2600NX, 5200NX, 6200NX, 7100NX, 7500NX)
- Security Management System (SMS)
- S-Series (S10, S110, S330)
- TPS (440T, 2200T, vTPS)
IPv6 is an Internet protocol that uses 128-bit addresses, which increases the number of possible addresses (over IPv4) and adds increased security. Expressed in a series of four-digit hexadecimal numbers that are separated by colon (:) notation, IPv6 addresses allow the Internet to grow in terms of connected hosts and data traffic.
The IPS devices support IPv4 and IPv6 packet inspection. As most of the Digital Vaccine (DV) filters are application layer filters, they will work irrespective of the IP type as well as all the combinations of tunneling (4in6, 6in4, 6in6, GRE, mobile IP, etc.). In addition, there are a small set of L3 filters, which are IPv4/IPv6 specific.
You can manage the IPS device via IPv4 and IPv6. Normally the IPv6 management option is setup during the Out of the Box Experience (OBE). However, if IPv6 was not enabled during OBE, it can be enabled after the fact from the Command Line Interface (CLI) by running the “setup host” CLI command.
If you are editing the Network Management configuration and want to disable IPv4, use IPv6 to manage the network BEFORE you disable IPv4. If you are editing the Network Management configuration and want to disable IPv6, use IPv4 to manage the network BEFORE you disable IPv6.
When an SMS Client is connected to the SMS server using IPv6 protocol, and the IPv6 traffic is being tunneled through IPv4 hardware, the SMS audit logs, system logs, and active session’s table will show 0.0.0.0 as the client's IP Address.
Threat Management Center (TMC) Access:
The TMC service does not support IPv6. An SMS operating in IPv6-only mode will not be able to contact the TMC, unless the SMS IP address is NAT-ed or uses a proxy that has NAT configured.
Traffic Management Filters: TCPv6 and UDPv6 protocols:
The source and destination ports cannot be set for traffic management filters using TCPv6 and UDPv6 protocols. Use TCP and UDP instead. They will accept IPv6 addresses.
SMS High Availability:
SMS High Availability (HA) is not supported with IPv6. If the SMS is IPv6 only, the HA configuration button will display an error when selected.
SMS Backup and Restore:
Some of the supported storage access protocols allow IPv6 addressing. When you specify a backup location in the SMS backup wizard with an IPv6 address, adhere to the following syntax requirements:
- Network File System (NFS) Protocol - Does NOT support IPv6
- Server Message Block (SMB) Protocol - IPv6 address MUST be surrounded by brackets
- Secure File Transfer Protocol (sFTP) - IPv6 address with or without brackets
- Secure Copy Protocol (SCP) - IPv6 address with or without brackets
Certificate exceptions cannot be added when managing an IPv6 device on an IPv6 network with Firefox 4 or later. To add a certificate exception in an IPv6 environment, use a different browser or the CLI. If your browser receives 404 Page Not Found errors or displays blank LSM frames, the cookies on the computer might be out of sync. To resolve these issues, clear the cache, delete the cookies, and restart the browser.
Edit individual filter settings
Entering an IPv4-mapped address in IPv6 notation will only match addresses that actually appear in IPv6 packets on the wire. They will not match IPv4 packets. Similarly, a range entered in IPv4 notation will only match IPv4 packets, and not IPv6 packets that contain the equivalent IPv4- mapped addresses. To match both notations, use both. In fields where any is allowed, you can enter any4 to match IPv4 packets, any6 to match IPv6 packets, and any to match both IPv4 and IPv6 packets.
When using wildcards to create an IPv6 address exception, use a wildcard character to represent each field. For example:
- Valid: a:b:c:d:e:f:*:*
- Invalid: a:b:c:d:e:*
The VMware deployment screen supports setting up only an IPv4 IP address. If you want to set up an IPv6 address, you must first install the vTPS with IPv4 using the OBE interface on the console. Configure an IPv6 address after the device is booted.
SSL Inspection (TPS 2200T Only)
The 2200T inspects inbound IPv4 traffic, including HTTP and HTTPS traffic. When inspecting encrypted SSL traffic, the TPS does not support:
- IPv6 traffic, including IPv4 over IPv6 tunneling.
- Outbound IPv4 traffic and IPv6 traffic.