Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

TippingPoint Next Generation Firewall (NGFW) Devices and IPv6

    • Updated:
    • 3 Aug 2016
    • Product/Version:
    • TippingPoint NGFW All
    • Platform:
Summary
This article discusses the IPv6 protocol as it relates to the Trend Micro TippingPoint Next Generation Firewall devices.
Details
Public

The NGFW devices comprise the S1050F, S3010F, S3020F, S8005F and S8010F devices. All these devices support both management through, and security inspection of, IPv6 and IPv4 traffic.

Topics include the following:

  •  IPv6 Overview
  •  Network Interfaces
  •  Dynamic Routing
  •  IP Address Network Objects
  •  Transparent Deployment
  •  Firewall Rules
  •  Application Detection
  •  NGFW Management Port
  •  IPS Inspection
  •  Reputation Service
  •  SMS High Availability
  •  Threat Management Center (TMC) Access

IPv6 Overview

IPv6 is an Internet protocol that uses 128-bit addresses, which increases the number of possible addresses (over IPv4) and adds increased security. Expressed in a series of four-digit hexadecimal numbers that are separated by colon (:) notation, IPv6 addresses allow the Internet to grow in terms of connected hosts and data traffic.

Network Interfaces

NGFW interfaces can be multi-homed with one or more IPv4 and IPv6 addresses. A physical port (which is an Ethernet interface maps to) to a member of a segment, bridge or routed setup. NGFW interfaces also support automatic IP allocation schemes.

NGFW may use DHCP or DHCPv6 to automatically obtain IP address and network information from a DHCP or DHCPv6 server. NGFW also fully supports stateless IPv6 auto-configuration, acting as a client or router. When acting as a client, the device will listen to advertised IPv6 prefixes and build its own address. When configured as a router, the device will advertise prefixes on its interfaces. The NGFW device supports DHCPv6 IPv6 prefix delegation to allow centralized management of prefixes.

Supporting Neighbor Discovery Protocol (NDP) allows for automatic address resolution on an interface. Static entries can be added to the NDP table for static address resolution, similar to static ARP entries. NDP cache entries can be flushed.

Dynamic Routing

The NGFW Appliance supports both IPv4 and IPv6 multicast routing with designated router priority.

NGFW supports the following dynamic routing protocols:

IPv4

IPv6

Static routes

Static routes

RIPv2/v2

RIPng

OSPFv2

OSPFv3

BGPv4

PIM-SSM

PIM-SM

 


IP Address Network Objects

IP Address groups are device-wide re-usable objects, used in multiple places including firewall rules.

There are a number of built in IP address groups, which can include both IPv4 and IPv6 addresses:

  •  Single addresses (1.2.3.4 or 2001::34)
  •  Address ranges (1.2.3.4 – 1.2.3.100 or 2001::123:34 – 2001::123:50)
  •  Subnets (10.1.2.0/24 or 2001:0:123::0/64)
  •  Other IP address network objects

Transparent Deployments

Transparent deployment modes such as Layer 2 Bridge, or Segment, can all pass and inspect IPv6 traffic.

Firewall Rules

NGFW firewall rules can contain IPv6 addresses, subnets, ranges and CIDRs.

Application Detection

Application detection and policy works on both IPv4 and IPv6 traffic. In most cases the IP transport layer is not involved in determining the application.

IPS Inspection

NGFW devices support both IPv4 and IPv6 deep packet inspection. As most of the Digital Vaccine (DV) filters are application layer filters, they will work irrespective of the IP type as well as all the combinations of tunneling (4in6, 6in4, 6in6, GRE, mobile IP, etc.). In addition there are a small set of L3 filters which are IPv4/IPv6 specific.

Reputation Feed (RepFeed)

The RepFeed service contains support and content for both IPv4 and IPv6 entries. Policy can be developed for IPv4 or IPv6 addresses.

Management Access, Web and CLI

All NGFW devices are capable of being managed via IPv4 and IPv6, even at the same time, through the dedicated management port, or through in-band management through the network inspection ports. Both IPv4 and IPv6 addresses can be used for management access.

If you are editing the Network Management configuration and want to disable IPv4, use IPv6 to manage the network BEFORE you disable IPv4. If you are editing the Network Management configuration and want to disable IPv6, use IPv4 to manage the network BEFORE you disable IPv6.

The embedded web interface and CLI fully support IPv4 and IPv6 syntax. Some commands on the CLI are specific to IPv4 or IPv6 features and operate accordingly. Diagnostic tools such as Ping and Traceroute can operate against IPv4 or IPv6 addresses. The IPv6 route table can be inspected in the same way as the IPv4 route table.

Logging and Reporting

All log entries containing IP addresses support both IPv4 and IPv6 addresses.

SMS High Availability

The SMS High Availability feature (two SMS devices operating as an HA pair) is not supported with IPv6. If the SMS is IPv6 only, the HA configuration button will display an error when selected.

The NGFW device and SMS reports, report on both IPv4 and IPv6 traffic. Traffic profiles show all traffic together regardless of IP protocol used.

Authentication

Access to network services such as LDAP, RADIUS may be made through IPv6 addresses.

Captive portal user authentication can also support IPv6.

Threat Management Center (TMC) Access

The TMC service for DV distribution does not support IPv6. An SMS operating in IPv6-only mode will not be able to contact the TMC, unless the SMS IP address is NAT-ed or uses a proxy that has NAT configured.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000085775
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.