IPv6 Support
Focus
Focus
Prisma Access

IPv6 Support

Table of Contents

IPv6 Support

Configure IPv6 in Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license version 2.2 Preferred and later
  • Native IPv6 access to public and private apps requires the following minimum releases:
    • Prisma Access (Managed by Strata Cloud Manager): June 2024 release
    • Prisma Access (Managed by Panorama): Prisma Access 5.1.1 for new deployments only.
    Any other deployments (including existing Prisma Access (Managed by Panorama) deployments) support private app access only.
If your organization uses IPv6 addressing, Prisma Access makes it possible for you to access internal (private) apps that are behind IPv6 addresses. Depending on your Prisma Access version, you can access either private (internal) apps using IPv6, or both internal and public (external) apps for both GlobalProtect and Remote Networks.
For access to external apps, some Prisma Access components do not have IPv6 functionality enabled by default. Before you enable native IPv6 for public app access, reach out to your Palo Alto Networks account team and open a TAC ticket for begin the enablement process
One benefit of native IPv6 support is the ability for Mobile Users at IPv6 only and dual-stack endpoints to connect to Prisma Access over IPv6 connections using GlobalProtect. Another benefit is the ability for GlobalProtect and Remote Networks to access the internet and public SaaS applications over the internet where those internet destinations require IPv6 connections.
IPv6 offers a significantly larger address space over IPv4, allowing for an almost unlimited number of unique IP addresses. At the same time, dual stack is a transitional approach that allows networks and devices to operate using both IPv4 and IPv6 simultaneously. Native IPv6 support makes Prisma Access compatible with both IPv6 and dual-stack connections to ease the migration process from IPv4 to IPv6, ensure backward compatibility, and empower your journey to the cloud and IPv6-enabled networks.
You configure IPv6 in the following Prisma Access network components:
  • Enable IPv6 and specify an IPv6 subnet in your Infrastructure Subnet to establish an IPv6 network infrastructure to enable communication between your remote networks (branch locations), mobile users, and service connections (data center or headquarters locations).
    For best results, provide your own IPv6 (public or private) address pool with a prefix length of /64, such as 3005:10:209:55::/64.
  • For a Mobile Users—GlobalProtect deployment, specify whether or not IPv6 networking should be utilized for the compute locations that are associated with your mobile user locations.
    You can specify IPv6 mobile user IP address pools and IPv6 DNS server addresses as required.
    For best results, provide your own IPv6 (public or private) address pool with a prefix length of /64, such as 3001:192:168:32::/64, applied ad a Worldwide level.
    Prisma Access assigns each compute region a pool from a /80 subnet and each location (gateway) a pool from a /112 subnet. Because each GlobalProtect connection uses one IP address from the pool, this allocation allows over 65,000 available IPv6 addresses (/128) to be assigned to users’ endpoints per location.
  • For service connections and remote network connections, you can specify IPv6 addressing for the type of routing the connection uses (either static or BGP routes).
    • For static routes, specify an IPv6 address for the subnets used for the static routes.
    • For BGP routes, specify an IPv6 Peer Address and Local Address.
      You can also specify the transport method used to exchange BGP peering information. You can specify to use IPv4 to exchange all BGP peering information (including IPv4 and IPv6), use IPv6 to exchange all BGP peering information, or use IPv4 to exchange IPv4 BGP peering information and IPv6 to exchange IPv6 BGP peering information.
    For best results, provide your own IPv6 (public or private) address pool with a maximum prefix length of /64, such as 2005:10:209:79::/64.
  • For remote networks, you can add IPv6 addresses for DNS servers.
    For best results, provide your own IPv6 (public or private) address pool with a maximum prefix length of /64, such as 2001:10:209:65::/64.
    Each branch office should use a unique /112 (maximum length) subnet, allowing for over 65,000 unique hosts.
  • IPv6 addresses you provide shouldn't overlap with Prisma Access BYOIP public IPv6 address space.
  • Your IP pool, branch office (remote network) subnets, corporate (service connection) subnets, and infrastructure subnet shouldn't overlap with each other (should be mutually exclusive).
The following compute locations do not support IPv6:
  • South Korea
  • Asia Northeast
  • South America East
  • Bahrain
  • South Africa West
  • Europe North (Stockholm)
  • Middle-East Central (UAE)
The following locations do not support IPv6:
  • All Local Zone locations
  • Canada West
  • South Africa Central
The following deployments do not support IPv6 addressing:
  • IP Optimization
    IP Optimization deployments do not support IPv6 for access to public (external) apps; private app access is supported. To enable IPv6 for your new Prisma Access deployment, reach out to your Palo Alto Networks account team, who will open a TAC case to accommodate the request.
  • Clean Pipe deployments
  • Traffic Steering (using traffic steering rules to redirect internet-bound traffic using a service connection)
  • Outbound Routes for the Service for service connections and remote network connections
    Prisma Access does not advertise IPv6 default routes.