Configure IPv6 Dual-Stack Support for Prisma Access Agent

Table of Contents

Configure IPv6 Sinkhole for Prisma Access Agent

Configure IPv6 Dual-Stack Support for Prisma Access Agent

Enable IPv6 dual-stack support by configuring an IPv6 pool on the gateway and adding IPv6 addresses to forwarding profile destination objects.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama) NGFW (Managed by Panorama)	Check the prerequisites for the deployment you're using PAN-OS version 11.2.7-h10 or later Strata Cloud Manager 2026.R1 or later Minimum Prisma Access Agent version: 26.1.1 macOS 14 and later or Windows 10 version 2024 and later desktop devices Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature

Configure IPv6 dual-stack support to enable Prisma Access Agent to operate in network environments where both IPv4 and IPv6 protocols are available. This capability enables the agent to steer traffic based on both IPv4 and IPv6 addresses according to your forwarding profile rules.

Before you begin, review your existing forwarding profiles to identify applications that might use IPv6 addresses.

Enable IPv6 for internal traffic.
1. In Strata Cloud Manager, Select ConfigurationNGFW and Prisma AccessConfiguration ScopePrisma AccessPrisma Access Infrastructure and select the gear icon to edit the Settings.
2. Enable IPv6 for Internal Traffic and provide an IPv6 infrastructure subnet.
Assign an IPv6 address pool.
1. Go to ConfigurationNGFW and Prisma AccessConfiguration ScopeAccess AgentSetup and select the gear icon to edit the Infrastructure Settings.
2. If you are on a coexistent tenant with GlobalProtect, select Filter ByPrisma Access Agent or All.
3. In the IPv6 Settings section, select Worldwide and enter the IP Pool for IPv6.
4. Save your setting.
Enable the compute location where the gateway belongs.
1. Still in the IPv6 Settings section, select a Region.
2. Enable the compute location where the gateway belongs. For example:
3. Save your settings.
4. Select Push ConfigPush to commit your changes and push the configuration to the gateway.
Add IPv6 addresses to forwarding profile destinations.
1. Navigate to the Forwarding Profiles Setup page.
  Strata Cloud Manager Managed Prisma Access deployments:
  Select ConfigurationNGFW and Prisma AccessConfiguration ScopeMobile Users ContainerMobile Users.
  Edit the settings in the Forwarding Profiles Setup section by selecting the gear icon.
  Panorama Managed Prisma Access deployments:
  From the Cloud Services plugin in Panorama, select PanoramaCloud ServicesPrisma Access AgentLaunch Prisma Access Agent.
  Select ConfigurationForwarding Profiles
  Panorama Managed NGFW deployments:
  Log in to Strata Cloud Manager as the administrator.
  Select ConfigurationForwarding Profiles
2. In Forwarding Profiles Setup, select the Destinations tab and select the destination object where you want to add IPv6 addresses.
3. Enter the relevant IPv6 addresses in the IP Addresses section. Use the following guidelines when adding IPv6 addresses:
  Add an IPv6 address using standard notation such as 2001:db8::1234:5678 for a single host.
  Add an IPv6 subnet using CIDR notation such as 2001:db8:1234::/48 to match a range of addresses.
  For applications that support both IPv4 and IPv6 addresses, use the fully qualified domain name in the destination object rather than specific IP addresses to ensure consistent traffic steering regardless of protocol preference.
  
  For example:
  Save your settings.
4. Configure the forwarding action (connectivity option) for the rule.
  In Forwarding Profiles Setup, select the Forwarding Profiles tab and select an existing forwarding profile or Add Forwarding ProfilePrisma Access Agent.
  Add or select an existing forwarding rule.
  Select a Connectivity option such as Direct, Block, Bypass, Best Available - Fail Safe, or Best Available - Fail Open. You can also select a custom connectivity object if you created one. Proxy and Advanced DNS Security Resolver are not supported at this time.
  Select the Traffic Type for the forwarding action.
  Add or Update the forwarding rule.
5. Repeat the steps for additional destination objects that require IPv6 support.
6. Select Push ConfigPush to apply the forwarding profile updates.
Verify the IPv6 configuration.
1. Connect a Prisma Access Agent in a dual-stack network environment where the endpoint receives both IPv4 and IPv6 addresses.
2. Go to the Endpoint Manager inventory page in Strata Cloud Manager by selecting ConfigurationEndpoint Management.
3. Locate the connected endpoint and verify that the Private IPv6 column display the assigned addresses.
  
  Use the filter criteria to search for endpoints by IPv6 address if needed for troubleshooting.
4. From the command-line interface on an endpoint or through the remote shell:
  Run the pacli tunnel command on the endpoint to view IPv6 tunnel information and confirm the agent received an IPv6 address from the configured pool.
  Run the pacli traffic show command to display all forwarding profile rules including IPv6 addresses and subnets.
  Run the pacli traffic log command to display entries in the network connection log.
5. Monitor the agent logs (PAS.log and NetworkManager.log) for IPv6-related entries such as received IPv6 pool, assigned IPv6 address, and IPv6 forwarding rule matches.