IPv6 Traffic Handling for Prisma Access Agent on Linux
Focus
Focus
Prisma Access Agent

IPv6 Traffic Handling for Prisma Access Agent on Linux

Table of Contents

IPv6 Traffic Handling for Prisma Access Agent on Linux

Understand how Prisma Access Agent on Linux selectively blocks tunnel-routed IPv6 traffic to trigger IPv4 fallback when the tunnel lacks IPv6 support.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Prisma Access Agent version 26.2.2 or later
  • Linux desktop devices
Prisma® Access Agent on Linux prevents IPv6 connection timeouts when the VPN tunnel does not support IPv6. Without this feature, applications attempting IPv6 connections through the tunnel experience 20–30 second timeouts because IPv6 packets enter a tunnel that cannot route them. The agent drops only the IPv6 connections that can't be routed through the tunnel. Modern applications fall back to IPv4 automatically in approximately 50–300 milliseconds.
This behavior differs from the IPv6 sinkhole feature available on macOS and Windows. On Linux, no gateway-side configuration is required. Direct-routed IPv6 traffic and all IPv6 traffic when the tunnel is disconnected continue to work normally.

Traffic Routing Behavior

The following table summarizes how the agent routes different types of IPv6 traffic:
Traffic TypeRouting DecisionResult
IPv6 to a tunnel-routed destinationTunnelDropped — triggers IPv4 fallback
IPv6 to a direct-routed destinationDirectAllowed via physical interface
IPv6 (any) when the tunnel is disconnectedN/AAllowed — native IPv6 works normally
DNS to IPv4 DNS serversAnyWorks normally — both IPv4 and IPv6 results returned

Limitations

Keep the following limitations in mind when using IPv6 traffic handling on Linux endpoints:
  • Forwarding profile rules for IPv6 destinations must use destination-based matching
    On Linux, the agent cannot identify the source application for IPv6 connections. Forwarding profile rules that match IPv6 destinations must use destination-based criteria only. Application-based matching is not supported for IPv6 traffic on Linux.
  • Legacy applications without automatic IPv4 fallback may experience delays
    Applications without automatic IPv4 fallback may wait 20–30 seconds before falling back to IPv4. Update the application to a version that supports automatic IPv4 fallback, or configure the application to use IPv4 only.