IPv6 Support
Configure IPv6 in Prisma Access.
| Where Can I Use
This? | What Do I Need? |
|---|
If your organization uses IPv6 addressing, Prisma Access makes it possible for you to access
internal (private) apps that are behind IPv6 addresses. Depending on your Prisma Access version, you can access either private (internal) apps using IPv6, or
both internal and public (external) apps for both GlobalProtect and Remote Networks.
For access to external apps, some Prisma Access components do not have IPv6
functionality enabled by default. Before you enable native IPv6 for public app
access, reach out to your Palo Alto Networks account team and open a TAC ticket for
begin the enablement process
One benefit of native IPv6 support is the ability for Mobile Users
at IPv6 only and dual-stack endpoints to connect to Prisma Access over IPv6
connections using GlobalProtect. Another benefit is the ability for GlobalProtect and
Remote Networks to access the internet and public SaaS applications over the internet
where those internet destinations require IPv6 connections.
IPv6 offers a significantly larger address space over IPv4,
allowing for an almost unlimited number of unique IP addresses. At the same time, dual
stack is a transitional approach that allows networks and devices to operate using both
IPv4 and IPv6 simultaneously. Native IPv6 support makes Prisma Access compatible
with both IPv6 and dual-stack connections to ease the migration process from IPv4 to
IPv6, ensure backward compatibility, and empower your journey to the cloud and
IPv6-enabled networks.
You
configure IPv6 in the following Prisma Access network components:
Enable IPv6 and specify an IPv6 subnet in your
Infrastructure Subnet to
establish an IPv6 network infrastructure to enable communication
between your remote networks (branch locations), mobile users, and
service connections (data center or headquarters locations).
For best results,
provide your own IPv6 (public or private) address pool with a prefix length of
/64, such as 3005:10:209:55::/64.
For a Mobile Users—GlobalProtect deployment, specify whether
or not IPv6 networking should be utilized for the
compute locations that
are associated with your mobile user locations.
You can specify
IPv6 mobile user
IP address pools and
IPv6 DNS server addresses as required.
For best results,
provide your own IPv6 (public or private) address pool with a prefix length of
/64, such as 3001:192:168:32::/64, applied ad a Worldwide level.
Prisma Access assigns each compute region a pool from a /80 subnet and
each location (gateway) a pool from a /112 subnet. Because each
GlobalProtect connection uses one IP address from the pool, this allocation
allows over 65,000 available IPv6 addresses (/128) to be assigned to users’
endpoints per location.
For service connections and remote network connections, you
can specify IPv6 addressing for the type of routing the connection
uses (either static or BGP routes).
For static routes,
specify an IPv6 address for the subnets used for the static routes.
For BGP routes, specify an IPv6 Peer Address and Local Address.
You
can also specify the transport method used to exchange BGP peering
information. You can specify to use IPv4 to exchange all BGP peering
information (including IPv4 and IPv6), use IPv6 to exchange all
BGP peering information, or use IPv4 to exchange IPv4 BGP peering
information and IPv6 to exchange IPv6 BGP peering information.
For best results,
provide your own IPv6 (public or private) address pool with a maximum prefix
length of /64, such as 2005:10:209:79::/64.
For remote networks, you can add IPv6 addresses for DNS servers.
For best results,
provide your own IPv6 (public or private) address pool with a maximum prefix
length of /64, such as 2001:10:209:65::/64.
Each branch office should use a
unique /112 (maximum length) subnet, allowing for over 65,000 unique
hosts.
- IPv6 addresses you provide shouldn't overlap with Prisma Access BYOIP
public IPv6 address space.
- Your IP pool, branch office (remote network) subnets, corporate (service
connection) subnets, and infrastructure subnet shouldn't overlap with each other
(should be mutually exclusive).
- South Korea
- Asia Northeast
- South America East
- Bahrain
- South Africa West
- Europe North (Stockholm)
- Middle-East Central (UAE)
- All Local Zone locations
- Canada West
- South Africa Central
The following deployments do not support IPv6 addressing:
- IP
Optimization
IP Optimization deployments do not support IPv6 for access
to public (external) apps; private app access is supported. To enable IPv6 for
your new Prisma Access deployment, reach out to your Palo Alto Networks
account team, who will open a TAC case to accommodate the request.
Traffic Steering (using
traffic steering rules to redirect internet-bound traffic using a service
connection)
- Outbound Routes for the Service for service connections and
remote network connections
Prisma Access does not
advertise IPv6 default routes.
