NPTv6
Focus
Focus
Next-Generation Firewall

NPTv6

Table of Contents

NPTv6

Understand IPv6-to-IPv6 Network Prefix Translation (NPTv6), ULAs, and the reasons to use NPTv6.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by PAN-OS or Panorama)
IPv6-to-IPv6 Network Prefix Translation (NPTv6) performs a stateless, static translation of one IPv6 prefix to another IPv6 prefix (port numbers are not changed). Beginning with PAN-OS 11.1.5, NPTv6 also supports dynamically assigned IPv6 address prefixes.
Although there is no shortage of public, globally routable IPv6 addresses, there are reasons you might want to translate IPv6 addresses. The primary benefits are that NPTv6:
  • Prevents asymmetrical routing—Asymmetric routing can occur if a Provider Independent address space (/48, for example) is advertised by multiple data centers to the global Internet. By using NPTv6, you can advertise more specific routes from regional firewalls, and the return traffic will arrive at the same firewall where the source IP address was translated by the translator.
  • Provides address independence—You need not change the IPv6 prefixes used inside your local network if the global prefixes are changed (for example, by an ISP or as a result of merging organizations). Conversely, you can change the inside addresses at will without disrupting the addresses that are used to access services in the private network from the Internet. In either case, you update a NAT rule rather than reassign network addresses.
  • Translates ULAs for routing—You can have Unique Local Addresses (ULAs) assigned within your private network, and have the firewall translate them to globally routable addresses. Thus, you have the convenience of private addressing and the functionality of translated, routable addresses.
  • Reduces exposure to IPv6 prefixes—IPv6 prefixes are less exposed than if you didn’t translate network prefixes, however, NPTv6 is not a security measure. The interface identifier portion of each IPv6 address is not translated; it remains the same on each side of the firewall and visible to anyone who can see the packet header. Additionally, the prefixes are not secure; they can be determined by others.
  • Allows more specific routes to be advertised —Thus, that return traffic arrives at the same firewall that transmitted the traffic.
This topic builds on a basic understanding of NAT. You should be sure you are familiar with NAT concepts before configuring NPTv6.
NPTv6 is defined in RFC 6296. Palo Alto Networks® does not implement all functionality defined in the RFC, but is compliant with the RFC in the functionality it has implemented.
NPTv6 performs stateless translation of one IPv6 prefix to another IPv6 prefix. It is stateless, meaning that it does not keep track of ports or sessions on the addresses translated. NPTv6 differs from NAT66, which is stateful. Palo Alto Networks supports NPTv6 RFC 6296 prefix translation; it does not support NAT66.
With the limited addresses in the IPv4 space, NAT was required to translate private, non-routable IPv4 addresses to one or more globally-routable IPv4 addresses. For organizations using IPv6 addressing, there is no need to translate IPv6 addresses to IPv6 addresses due to the abundance of IPv6 addresses. However, there are reasons to use NPTv6 to translate IPv6 prefixes at the firewall (listed above).
It is important to understand that NPTv6 does not provide security. It general, stateless network address translation does not provide any security; it provides an address translation function. NPTv6 does not hide or translate port numbers. You must set up firewall security policies correctly in each direction to ensure that traffic is controlled as you intended.
NPTv6 translates the prefix portion of an IPv6 address but not the host portion or the application port numbers. The host portion is simply copied, and therefore remains the same on either side of the firewall. The host portion also remains visible within the packet header.
NPTv6 is supported on the following firewall models (NPTv6 with hardware lookup but packets go through the CPU):
  • PA-7500 Series firewall
  • PA-7000 Series firewalls
  • PA-5450 firewall
  • PA-5445 firewall
  • PA-5410, PA-5420, and PA-5430 firewalls
  • PA-5200 Series firewalls
  • PA-3400 Series firewalls
  • PA-3200 Series firewalls
  • PA-800 firewall
  • PA-440, PA-450, and PA-460 firewalls
  • PA-455-5G firewall (PAN-OS 11.2.3 and later 11.2 releases)
  • PA-455 firewall
  • PA-450R-5G firewall
  • PA-450R firewall
  • PA-445 firewall
  • PA-415 firewall
  • PA-415-5G firewall
  • PA-410R-5G firewall (PAN-OS 11.1.4 and later 11.1 releases)
  • PA-410R firewall (PAN-OS 11.1.3 and later 11.1 releases)
  • PA-410 firewall
  • PA-220 firewall
VM-Series firewalls support NPTv6, but with no ability to have hardware perform a session lookup.

Unique Local Addresses (ULAs)

RFC 4193, Unique Local IPv6 Unicast Addresses, defines unique local addresses (ULAs), which are IPv6 unicast addresses. They can be considered IPv6 equivalents of the private IPv4 addresses identified in RFC 1918, Address Allocation for Private Internets, which cannot be routed globally.
A ULA is globally unique, but not expected to be globally routable. It is intended for local communications and to be routable in a limited area such as a site or among a small number of sites. Palo Alto Networks® does not recommend that you assign ULAs, but a firewall configured with NPTv6 will translate prefixes sent to it, including ULAs.