Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments
Use policies and other security procedures to sinkhole
Prisma Access IPv6 traffic from in a Prisma Access GlobalProtect
deployment.
In a dual stack endpoint that can process
both IPv4 and IPv6 traffic, the GlobalProtect app sends mobile user
IPv4 traffic to be protected through the GlobalProtect VPN tunnel
to Prisma Access. However, mobile user IPv6 traffic is not sent
to Prisma Access by default and is sent to the local network adapter
on the endpoint instead. To reduce the attack surface for IPv6-based
threats, Palo Alto Networks recommends that you configure Prisma
Access to sinkhole IPv6 traffic. Because endpoints can automatically
fall back to an IPv4 address, you can enable a secure and uninterrupted
user experience for mobile user traffic to the internet.
You can configure Prisma Access
so that it sinkholes all mobile user IPv6 traffic. When you enable
this functionality, Prisma Access assigns an IPv6 address to the
connecting endpoint in addition to an IPv4 address; then, it routes
the IPv6 traffic to Prisma Access and discards it using a built-in
security policy, as shown in the following figure.
To
configure Prisma Access so that it sinkholes all mobile user IPv6
traffic, complete the following steps.
Open a secure CLI session with admin-level privileges,
using the same IP address that you use to log in to the Panorama
that manages Prisma Access.
Enter configure to enter configuration
mode.
Enter the set plugins cloud_services mobile-users ipv6 yes command.
If you need to disable this command in the future, enter set plugins cloud_services mobile-users ipv6 no.
Enter Commit to save your changes
locally.
Enter exit to exit configuration
mode.
Enter commit-all shared-policy include-template yes device-group Mobile_User_Device_Group to commit
and push your changes and make them active in Prisma Access.