Next-Generation Firewall
About NPTv6
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Something went wrong please try again later
About NPTv6
Learn more about IPv6-to-IPv6 Network Prefix Translation
(NPTv6) for your managed firewalls.
Contact your account team to enable Cloud Management for NGFWs using Strata
Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
Configure a Network Address Translation (NAT) policy rule to
perform IPv6-to-IPv6 Network Prefix Translation (NPTv6). Palo Alto
Networks doesn’t implement all functionality defined in the RFC, but is compliant with
the RFC in the functionality it has implemented.
NPTv6 performs stateless translation of one IPv6 prefix to another IPv6 prefix. It’s stateless,
meaning that it doesn’t keep track of ports or sessions on the addresses translated.
NPTv6 differs from NAT66, which is stateful. Palo Alto Networks supports NPTv6
RFC 6296 prefix translation; it doesn’t support NAT66.
With the limited addresses in the IPv4 space, NAT was required to translate private and
nonroutable IPv4 addresses to one or more globally routable IPv4 addresses. For
organizations using IPv6 addressing, there’s no need to translate IPv6 addresses to IPv6
addresses due to the abundance of IPv6 addresses.
NPTv6 translates the prefix portion of an IPv6 address but not the host portion or the
application port numbers. The host portion is copied, and therefore remains the same on
either side of the firewall. The host portion also remains visible within the packet
header.
NPTv6 is supported on the following firewall models (NPTv6 with
hardware lookup but packets go through the CPU):
- PA-7000 Series firewalls
- PA-5200 Series firewalls
- PA-3200 Series firewalls
- PA-800 firewall
- PA-220 firewall
Unique Local Addresses
RFC
4193, Unique Local IPv6 Unicast Addresses, defines unique local addresses
(ULAs), which are IPv6 unicast addresses. They can be considered IPv6 equivalents of
the private IPv4 addresses identified in RFC 1918, Address Allocation for Private Internets, which can’t be
routed globally.
A ULA is globally unique, but not expected to be globally routable. It’s intended for local
communications and to be routable in a limited area such as a site, or among a small
number of sites. Palo Alto Networks doesn’t recommend that you assign ULAs, but a
firewall configured with NPTv6 will translate prefixes sent to it, including
ULAs.
Reasons to Use IPv6
Although there’s no shortage of public, globally routable IPv6 addresses, there are reasons you
might want to translate IPv6 addresses. It’s important to understand that NPTv6
doesn’t provide security. In general, stateless network address translation doesn’t
provide any security; it provides an address translation function. NPTv6 doesn’t
hide or translate port numbers. Set up firewall Security policies correctly in each
direction to ensure that traffic is controlled as you intended.
- Prevents asymmetrical routing—Asymmetric routing can occur if a Provider Independent address space (/48, for example) is advertised by multiple data centers to the global internet. By using NPTv6, you can advertise more specific routes from regional firewalls, and the return traffic will arrive at the same firewall where the source IP address was translated by the translator.
- Provides address independence—You need not change the IPv6 prefixes used inside your local network if the global prefixes are changed (for example, by an ISP or as a result of merging organizations). Conversely, you can change the inside addresses at will without disrupting the addresses that are used to access services in the private network from the internet. In either case, you update a NAT rule rather than reassign network addresses.
- Translates ULAs for routing—You can haveUnique Local Addressesassigned within your private network, and have the firewall translate them to globally routable addresses. Thus, you have the convenience of private addressing and the functionality of translated, routable addresses.
- Reduces explore to IPv6 prefixes—IPv6 prefixes are less exposed than if you didn’t translate network prefixes, however, NPTv6 isn’t a security measure. The interface identifier portion of each IPv6 address isn’t translated; it remains the same on each side of the firewall and visible to anyone who can see the packet header. Additionally, the prefixes aren’t secure; they can be determined by others.