The NGFW devices comprise the S1050F, S3010F, S3020F, S8005F and S8010F devices. All these devices support both management through, and security inspection of, IPv6 and IPv4 traffic.
Topics include the following:
- IPv6 Overview
- Network Interfaces
- Dynamic Routing
- IP Address Network Objects
- Transparent Deployment
- Firewall Rules
- Application Detection
- NGFW Management Port
- IPS Inspection
- Reputation Service
- SMS High Availability
- Threat Management Center (TMC) Access
IPv6 is an Internet protocol that uses 128-bit addresses, which increases the number of possible addresses (over IPv4) and adds increased security. Expressed in a series of four-digit hexadecimal numbers that are separated by colon (:) notation, IPv6 addresses allow the Internet to grow in terms of connected hosts and data traffic.
NGFW interfaces can be multi-homed with one or more IPv4 and IPv6 addresses. A physical port (which is an Ethernet interface maps to) to a member of a segment, bridge or routed setup. NGFW interfaces also support automatic IP allocation schemes.
NGFW may use DHCP or DHCPv6 to automatically obtain IP address and network information from a DHCP or DHCPv6 server. NGFW also fully supports stateless IPv6 auto-configuration, acting as a client or router. When acting as a client, the device will listen to advertised IPv6 prefixes and build its own address. When configured as a router, the device will advertise prefixes on its interfaces. The NGFW device supports DHCPv6 IPv6 prefix delegation to allow centralized management of prefixes.
Supporting Neighbor Discovery Protocol (NDP) allows for automatic address resolution on an interface. Static entries can be added to the NDP table for static address resolution, similar to static ARP entries. NDP cache entries can be flushed.
The NGFW Appliance supports both IPv4 and IPv6 multicast routing with designated router priority.
NGFW supports the following dynamic routing protocols:
IP Address Network Objects
IP Address groups are device-wide re-usable objects, used in multiple places including firewall rules.
There are a number of built in IP address groups, which can include both IPv4 and IPv6 addresses:
- Single addresses (220.127.116.11 or 2001::34)
- Address ranges (18.104.22.168 – 22.214.171.124 or 2001::123:34 – 2001::123:50)
- Subnets (10.1.2.0/24 or 2001:0:123::0/64)
- Other IP address network objects
Transparent deployment modes such as Layer 2 Bridge, or Segment, can all pass and inspect IPv6 traffic.
NGFW firewall rules can contain IPv6 addresses, subnets, ranges and CIDRs.
Application detection and policy works on both IPv4 and IPv6 traffic. In most cases the IP transport layer is not involved in determining the application.
NGFW devices support both IPv4 and IPv6 deep packet inspection. As most of the Digital Vaccine (DV) filters are application layer filters, they will work irrespective of the IP type as well as all the combinations of tunneling (4in6, 6in4, 6in6, GRE, mobile IP, etc.). In addition there are a small set of L3 filters which are IPv4/IPv6 specific.
Reputation Feed (RepFeed)
The RepFeed service contains support and content for both IPv4 and IPv6 entries. Policy can be developed for IPv4 or IPv6 addresses.
Management Access, Web and CLI
All NGFW devices are capable of being managed via IPv4 and IPv6, even at the same time, through the dedicated management port, or through in-band management through the network inspection ports. Both IPv4 and IPv6 addresses can be used for management access.
If you are editing the Network Management configuration and want to disable IPv4, use IPv6 to manage the network BEFORE you disable IPv4. If you are editing the Network Management configuration and want to disable IPv6, use IPv4 to manage the network BEFORE you disable IPv6.
The embedded web interface and CLI fully support IPv4 and IPv6 syntax. Some commands on the CLI are specific to IPv4 or IPv6 features and operate accordingly. Diagnostic tools such as Ping and Traceroute can operate against IPv4 or IPv6 addresses. The IPv6 route table can be inspected in the same way as the IPv4 route table.
Logging and Reporting
All log entries containing IP addresses support both IPv4 and IPv6 addresses.
SMS High Availability
The SMS High Availability feature (two SMS devices operating as an HA pair) is not supported with IPv6. If the SMS is IPv6 only, the HA configuration button will display an error when selected.
The NGFW device and SMS reports, report on both IPv4 and IPv6 traffic. Traffic profiles show all traffic together regardless of IP protocol used.
Access to network services such as LDAP, RADIUS may be made through IPv6 addresses.
Captive portal user authentication can also support IPv6.
Threat Management Center (TMC) Access
The TMC service for DV distribution does not support IPv6. An SMS operating in IPv6-only mode will not be able to contact the TMC, unless the SMS IP address is NAT-ed or uses a proxy that has NAT configured.