Set Up an IPv6 Sinkhole On the On-Premises Gateway
Set up an IPv6 sinkhole for a Prisma Access GlobalProtect
mobile users deployment.
If you have a hybrid deployment that uses
next-generation firewalls configured as gateways with Prisma Access,
perform the following task on the on-premises gateway to drop the
IPv6 traffic.
Add
IPv6 IP pools to your GlobalProtect agent configuration.
Select
Network
GlobalProtect
Gateways
.
Select an existing GlobalProtect gateway or
Add
a
new one.
Select
Agent
Client Settings
.
Select the agent configuration to modify or
Add
a
new one.
Select
IP Pools
; then,
Add
an
IPv6 pool to assign to the virtual network adapter on the endpoints
that connect to the GlobalProtect gateway uses for mobile network
traffic and click
OK
.
Enable IPv6 on the interface.
Select
Device
Interface
Tunnel
and
select the tunnel
Interface
that you use
for the mobile user’s traffic.
Select
IPv6
; then, select
Enable
IPv6 on the interface
.
Add a security policy to set a TCP reset action that
will terminate sessions with IPv6 source traffic that matches the
IP pools you configured in Step 1.
Select
Policies
Security
and
Add
a
new security policy.
Set the
Source Address
in the
rule to match the IP pools you configured in Step 1.
Select
Actions
; then, select
an
Action Setting
of
Reset Client
and
click
OK
.
Commit
your changes.
(
Optional
) Perform this task on all the gateway
firewalls in your deployment.