>
    Strata Copilot
    Use VM-Series Firewall to Configure NPTv6 Policy for IPv6 Forwarding Rule on Google Cloud Platform (GCP)
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Firewall on Google Cloud Platform
    4. Use VM-Series Firewall to Configure NPTv6 Policy for IPv6 Forwarding Rule on Google Cloud Platform (GCP)
    Download PDF
    VM-Series

    Use VM-Series Firewall to Configure NPTv6 Policy for IPv6 Forwarding Rule on Google Cloud Platform (GCP)

    Table of Contents

    Use VM-Series Firewall to Configure NPTv6 Policy for IPv6 Forwarding Rule on Google Cloud Platform (GCP)

    Use VM-Series to create an NPTv6 policy to translate the inbound traffic destined to IPv6 forwarding rule to the web app in a trust VPC.
    This section shows a use case to test the inbound internet traffic destined to IPv6 forwarding rule to the web app on internal-vm in the trust VPC on the Google Cloud Platform (GCP).
    Where Can I Use This?What Do I Need?
    • Google Cloud Platform (GCP)
    • VM-Series License (PAYG or BYOL)
    • VM-Series plugin
    • Panorama
    • Panorama plugin for GCP
    For this workflow, deploy and configure the VM-Series firewall in GCP. Create an NPTv6 policy to translate traffic destined to the IPv6 forwarding rule to the web app on internal-vm, and test the inbound internet traffic through the VM-Series firewall.
    VM-Series firewalls add security to the NPTv6 traffic on GCP.
    Architecture
    VM-Series firewall resource deployed in GCP
    The architecture shows the VM-Series deployed with 3 network interfaces, each belonging to a dual-stack subnet, and belongs to an unmanaged instance group that serves as the backend service of an external pass-through load balancer.
    The load balancer is configured with IPv4 and IPv6 frontend addresses to distribute internet inbound traffic to the untrust interface. The test workloads are deployed to test north-south traffic. The external-vpc contains an Ubuntu VM to test internet inbound traffic through the VM-Series to the internal-vm in the trust network.
    Prerequisites:
    • Google Cloud project
    • Access to Google Cloud Shell with permissions to deploy the resources in GCP
    • If using BYOL, a VM-Series auth key to license the firewall

    Deploy Resources in GCP Using Gcloud

    Create the cloud resources needed to support the VM-Series IPv4/IPv6 topology. This includes, VPC networks, firewall rules, instance groups, load balancers, and the VM-Series compute instances.
    Create VPC Networks
    Create the VPC networks for the VM-Series network interfaces. The table below describes each VPC network’s function as it relates to the VM-Series firewalls.
    VPCNICDescription
    UNTRUSTNIC0Serves as the internet gateway for cloud resources deployed or connected to the trust-vpc.
    MGMTNIC1Serves as the VM-Series MGT and HA1 interface.
    TRUSTNIC2Serves as the default gateway for cloud resources deployed or connected to the trust-vpc.
    1. In GCP cloud shell, enable the required Google Cloud APIs.
      gcloud services enable compute.googleapis.com
    2. Set your deployment project, region, and zone:
      gcloud config set project PROJECT_ID

gcloud config set compute/region REGION

gcloud config set compute/zone ZONE
    3. Set environment variables to specify the deployment project, region, zone, and naming prefix:
      export PREFIX=panw

export CIDR_MGMT=10.0.0.0/28

export CIDR_UNTRUST=10.0.1.0/28

export CIDR_UNTRUST_LB=10.0.1.16/28

export CIDR_TRUST=10.0.2.0/28

export MGMT_SOURCE_RANGES=0.0.0.0/0
      VariableDefinition
      PREFIXA string appended to the start of a resource’s name (i.e. $PREFIX-vpc).
      CIDR_<NAME>The prefixes for the subnets to be created in each VPC network.
      MGMT_SOURCE_RANGESA list of IPv4/IPv6 addresses, which can access the VM-Series MGT interface.
    4. Create the mgmt-vpc, untrust-vpc, and trust-vpc networks with their subnets:
      gcloud compute networks create $PREFIX-mgmt-vpc \
  --subnet-mode=custom

gcloud compute networks create $PREFIX-untrust-vpc \
  --subnet-mode=custom

gcloud compute networks create $PREFIX-trust-vpc \
  --subnet-mode=custom \
  --enable-ula-internal-ipv6

gcloud compute networks subnets create $PREFIX-mgmt-subnet \
  --network=$PREFIX-mgmt-vpc \
  --range=$CIDR_MGMT

gcloud compute networks subnets create $PREFIX-untrust-subnet \
  --network=$PREFIX-untrust-vpc \
  --range=$CIDR_UNTRUST \
  --stack-type=IPV4_IPV6 \
  --ipv6-access-type=EXTERNAL

gcloud compute networks subnets create $PREFIX-untrust-subnet-lb \
  --network=$PREFIX-untrust-vpc \
  --range=$CIDR_UNTRUST_LB \
  --stack-type=IPV4_IPV6 \
  --ipv6-access-type=EXTERNAL

gcloud compute networks subnets create $PREFIX-trust-subnet \
  --network=$PREFIX-trust-vpc \
  --range=$CIDR_TRUST \
  --stack-type=IPV4_IPV6 \
  --ipv6-access-type=INTERNAL
    5. Create firewall rules for each VPC network to allow traffic to the VM-Series network interfaces:
      VPCRule NameDescription
      MGMTingress-mgmt
      Allows TCP:443/22 to the MGT interface from MGMT_SOURCE_RANGES.
      UNTRUSTingress-untrust
      Allows all ingress traffic to the VM-Series untrust interface.
      TRUSTingress-trust
      Allows all ingress traffic to the VM-Series trust interface.
       
      gcloud compute firewall-rules create $PREFIX-ingress-mgmt \
   --network=$PREFIX-mgmt-vpc \
   --direction=ingress \
   --allow=tcp:443,tcp:22 \
   --source-ranges=$MGMT_SOURCE_RANGES

gcloud compute firewall-rules create $PREFIX-ingress-untrust \
   --network=$PREFIX-untrust-vpc \
   --direction=ingress \
   --allow=all \
   --source-ranges=0.0.0.0/0

gcloud compute firewall-rules create $PREFIX-ingress-untrust-ipv6 \
   --network=$PREFIX-untrust-vpc \
   --direction=ingress \
   --allow=all \
   --source-ranges=::/0

gcloud compute firewall-rules create $PREFIX-ingress-trust \
   --network=$PREFIX-trust-vpc \
   --direction=ingress \
   --allow=all \
   --source-ranges=0.0.0.0/0

gcloud compute firewall-rules create $PREFIX-ingress-trust-ipv6 \
   --network=$PREFIX-trust-vpc \
   --direction=ingress \
   --allow=all \
   --source-ranges=::/0
      Allowing all traffic to the untrust/trust networks enables the VM-Series rules to be enforced on all traffic.

    Create VM-SeriesFirewall with Gcloud

    Create VM-Series managed instance group and instance template.
    1. Set environment variables to specify the deployment project, region, zone, and naming prefix.
    2. VariableDefinition
      NIC_<NAME>The configuration for each of the VM-Series network interfaces. The 'no-address' argument skips adding a public address to the interface.
      VMSERIES_IMAGEThe name of the VM-Series image from paloaltonetworksgcp-public project.
      To get a full list of publicly available VM-Series images run the following command:
         gcloud compute images list \
      --project paloaltonetworksgcp-public \
      --filter='name ~ .*vmseries-flex.*'
      VMSERIES_INSTANCEThe instance shape for the VM-Series firewalls
      VMSERIES_COUNTThe number of VM-Series firewalls to deploy
       
      export NIC_UNTRUST=network=$PREFIX-untrust-vpc,subnet=$PREFIX-untrust-subnet

export NIC_MGMT=network=$PREFIX-mgmt-vpc,subnet=$PREFIX-mgmt-subnet

export NIC_TRUST=network=$PREFIX-trust-vpc,subnet=$PREFIX-trust-subnet,no-address

export VMSERIES_IMAGE=vmseries-flex-bundle1-1112

export VMSERIES_INSTANCE=n2-standard-4

export VMSERIES_COUNT=1
    3. Create an SSH key and export the public key to the environment variable VMSERIES_KEY:
      ssh-keygen -f ~/.ssh/vmseries -t rsa -C admin

export VMSERIES_KEY=$(cat ~/.ssh/vmseries.pub)
    4. Create the VM-Series instance template and instance group:
      gcloud compute instance-templates create $PREFIX-vmseries-template \
   --image=$VMSERIES_IMAGE \
   --image-project=paloaltonetworksgcp-public \
   --machine-type=$VMSERIES_INSTANCE \
   --network-interface=$NIC_UNTRUST,stack-type=IPV4_IPV6 \
   --network-interface=$NIC_MGMT \
   --network-interface=$NIC_TRUST,stack-type=IPV4_IPV6 \
   --boot-disk-type=pd-ssd \
   --boot-disk-device-name=persistent-disk-0 \
   --boot-disk-auto-delete \
   --can-ip-forward \
   --scopes=default \
   --metadata="dhcp-accept-server-hostname=yes,mgmt-interface-swap=enable,\
ssh-keys=admin:$VMSERIES_KEY"

gcloud compute instance-groups managed create $PREFIX-vmseries-mig \
   --size=$VMSERIES_COUNT \
   --template=$PREFIX-vmseries-template \
   --update-policy-type=opportunistic \
   --update-policy-minimal-action=replace \
   --update-policy-replacement-method=substitute

    Create External Load Balancer

    Create an external TCP/UDP load balancer by defining a health check, backend service, and forwarding rules for both IPv4 and IPv6 traffic.
    1. In the GCP cloud shell, create the health check, forwarding rule, and backend service:
      gcloud compute health-checks create tcp $PREFIX-vmseries-hc \
   --region=$(gcloud config get-value compute/region)

gcloud compute backend-services create $PREFIX-vmseries-extlb \
   --health-checks=$PREFIX-vmseries-hc \
   --health-checks-region=$(gcloud config get-value compute/region) \
   --load-balancing-scheme=EXTERNAL \
   --protocol=UNSPECIFIED \
   --tracking-mode=PER_SESSION \
   --connection-persistence-on-unhealthy-backends=NEVER_PERSIST

gcloud compute forwarding-rules create $PREFIX-vmseries-extlb-ipv4 \
   --backend-service=$PREFIX-vmseries-extlb \
   --load-balancing-scheme=EXTERNAL \
   --ip-protocol=L3_DEFAULT \
   --ip-version=IPV4 \
   --ports=ALL

gcloud compute forwarding-rules create $PREFIX-vmseries-extlb-ipv6 \
   --backend-service=$PREFIX-vmseries-extlb \
   --load-balancing-scheme=EXTERNAL \
   --ip-protocol=L3_DEFAULT \
   --ip-version=IPV6 \
   --subnet=$PREFIX-untrust-subnet-lb \
   --ports=ALL
    2. Add the VM-Series-managed instance group to the backend service of the load balancer: 
      gcloud compute backend-services add-backend $PREFIX-vmseries-extlb \
   --instance-group=$PREFIX-vmseries-mig
    3. Record the IP address assigned to the IPv4 and IPv6 forwarding rules:
      gcloud compute forwarding-rules list --format="value(IPAddress)"
      Sample output:
      34.145.122.74
2600:1900:4040:2c06:8000:0:0:0/96

    Configure VM-Series

    Access the firewall’s console and set credentials for the admin user. Then, apply a baseline configuration to enable the firewall to respond to health checks and also route VPC network traffic.
    Set Credentials
    1. Retrieve the MGMT addresses assigned to NIC1 on the vmseries-active firewall:
      gcloud compute instances list \
   --filter='name:vmseries' \
   --format='get(networkInterfaces[1].networkIP, networkInterfaces[1].accessConfigs[0].natIP)'
    2. Open an SSH session to vmseries-active using your private SSH key:
      ssh admin@MGMT_IP -i ~/.ssh/vmseries
    3. On the VM-Series, enter configuration mode and set a password for the admin user:
      configure
set mgt-config users admin password
    4. Commit the changes. Enter exit twice to terminate the session:
      commit
    5. (Optional) If you set the VMSERIES_IMAGE to use a BYOL (i.e. vmseries-flex-byol-1100), access the VM-Series user interface (https://MGMT_IP) and license the firewall.

    Configure Network Interfaces to Handle IPv4/IPv6 Traffic

    Enable DHCPv4 and DHCPv6 on the VM-Series network interfaces to handle IPv4/IPv6 traffic.
    1. On the VM-Series, go to Network Zones and select Add.
    2. Create two zones: untrust and trust.
    3. Go to Network Interfaces Ethernet.
    4. Configure ethernet1/1 (untrust) as follows: <image>
      In the IPv4 tab, check Automatically create default route. In the IPv6 tab, check Accept Router Advertised Route and uncheck Enable Prefix Delegation.
    5. Configure ethernet1/2 (trust) as follows:
      In the IPv4 tab, uncheck Automatically create default route. In the IPv6 tab, uncheck Accept Router Advertised Route and uncheck Enable Prefix Delegation.
    6. Commit the changes.

    Configure NAT Policy for IPv4 Forwarding Rule

    Create a NAT policy to translate traffic destined to the IPv4 forwarding rule to a web app on the internal-vm in the trust VPC.
    Prerequisites:
    • In Google Cloud, record the IPv4 and IPv6 addresses of the internal-vm:
      IPv4 and IPv6 addresses in GCP for internal-vm
    1. On the VM-Series, go to Policies NAT and select Add.
    2. Configure the policy to translate the IPv4 forwarding rule to the internal-vm IPv4 address.
      Original PacketSource Zoneuntrust
      Destination Zoneuntrust
      Destination Interfaceethernet1/1
      Destination Address34.29.169.107 (IPv4 forwarding rule address)
      Source TranslationTranslation TypeDynamic IP and Port
      Address TypeInterface Address
      Interfaceethernet1/2
      DST TranslationTranslation TypeDynamic IP
      Translated Address10.0.3.10 (IPv4 of internal-vm)
      When load-balancing internet inbound traffic through multiple firewalls, source translation is necessary to ensure a synchronous response from the backend application.

    Configure NPTv6 Policy for IPv6 Forwarding Rule

    Create an NPTv6 policy to translate traffic destined to the IPv6 forwarding rule to the web app on internal-vm.
    NPTv6 performs stateless translation, moving traffic from one IPv6 prefix to another by eliminating the IPv6 header checksum. Therefore, a checksum-neutral address must be calculated and used as the original packet's destination in the NPTv6 policy.
    1. Generate a checksum neutral address on VM-Series:
      1. In Cloud Shell, SSH to the VM-Series using its management IP:
        ssh admin@1.1.1.1
      2. Generate the checksum for traffic between the IPv6 address of the internal-vm and the IPv6 forwarding rule address on the external load balancer:
        test nptv6 cks-neutral source-ip fd20:eb0:af94:0:0:0:0:0 dest-network
2600:1900:4000:5db5:8000:1:0:0/96
        Replace fd20:eb0:af94:0:0:0:0:0 with the IPv6 address of your internal-vm and replace 2600:1900:4000:5db5:8000:1:0:0/96 with the IPv6 address assigned to your load balancer's forwarding rule.
      3. Record the generated checksum neutral address:
        The checksum neutral address of fd20:eb0:af94:: is
2600:1900:4000:5db5:8000:1:5eae:0 in 2600:1900:4000:5db5:8000:1:0:0/96
subnet
        Use this checksum neutral public IPv6 address in your NPTv6 configuration as the Destination Address in the NAT policy rule.
    2. Create NPTv6 policy:
      1. On the VM-Series, go to Policies NAT and select Add.
      2. Set NAT Type to nptv6.
      3. Configure the policy to translate the checksum IP to the internal-vm IPv6 address.
        NPTv6 Policy
        Original PacketSource Zoneuntrust
        Destination Zoneuntrust
        Destination Interfaceethernet1/1
        Destination Address2600:1900:4000:5db5:8000:1:5eae:0 (checksum neutral address)
        DST TranslationTranslation TypeDynamic IP
        Translated Addressfd20:eb0:af94:0:0:0:0:0/96 (IPv6 of internal-vm)

    Configure Health Checks

    Configure the VM-Series to receive and respond to the load balancer’s health checks.
    1. On the VM-Series CLI, enter configuration mode.
    2. Create a Management Profile to allow the load balancer health check ranges:
      set network profiles interface-management-profile lb-checks http yes 
set network profiles interface-management-profile lb-checks permitted-ip 35.191.0.0/16
set network profiles interface-management-profile lb-checks permitted-ip 130.211.0.0/22
set network profiles interface-management-profile lb-checks permitted-ip 209.85.152.0/22
set network profiles interface-management-profile lb-checks permitted-ip 209.85.204.0/22
set network profiles interface-management-profile lb-checks permitted-ip 2600:1901:8001::/48
    3. Create a loopback and assign the load balancer’s forwarding rules as the interface’s addresses.
      set network interface loopback units loopback.1 ip 34.145.122.74
set network interface loopback units loopback.1 ipv6 address 2600:1900:4040:2c06:8000:0:0:0
set network interface loopback units loopback.1 ipv6 enabled yes
set network interface loopback units loopback.1 interface-management-profile lb-checks
set zone lb-checks network layer3 loopback.1
set network virtual-router lb-checks interface loopback.1
    4. Create a security policy to allow the health checks to communicate with the loopback interface:
      set rulebase security rules lb-checks from any to any 
set rulebase security rules lb-checks source 35.191.0.0/16
set rulebase security rules lb-checks source 130.211.0.0/22 
set rulebase security rules lb-checks source 209.85.152.0/22
set rulebase security rules lb-checks source 209.85.204.0/22
set rulebase security rules lb-checks source 2600:1901:8001::/48
set rulebase security rules lb-checks destination any
set rulebase security rules lb-checks application web-browsing service application-default
set rulebase security rules lb-checks action allow
    5. Commit the changes.
      commit
    6. In Google Cloud, go to Network Services → Load Balancing and verify the health checks for both forwarding rules are listed as healthy.

    Create Test Workloads

    Deploy VMs to test north/south IPv4 and IPv6 traffic. First, create an Ubuntu VM (internal-vm) within the trust VPC. Then, create an external network (external-vpc) containing a VM (external-vm). The external-vm will be used to test inbound traffic to the internal-vm through the VM-Series firewall.
    1. In the Cloud shell, create the internal-vm in the trust VPC and the external-vpc containing the external-vm:
      gcloud compute instances create $PREFIX-internal-vm \
 --machine-type=f1-micro \
 --image-family=ubuntu-2004-lts \
 --image-project=ubuntu-os-cloud \
 --network-interface subnet=$PREFIX-trust-subnet,stack-type=IPV4_IPV6,no-address

gcloud compute networks create $PREFIX-external-vpc \
  --subnet-mode=custom

gcloud compute networks subnets create $PREFIX-external-subnet \
  --network=$PREFIX-external-vpc \
  --range=10.111.10.0/28 \
  --stack-type=IPV4_IPV6 \
  --ipv6-access-type=EXTERNAL

gcloud compute firewall-rules create $PREFIX-ingress-external \
 --network=$PREFIX-external-vpc \
 --direction=ingress \
 --allow=tcp:22 \
 --source-ranges=0.0.0.0/0

gcloud compute instances create $PREFIX-external-vm \
 --machine-type=f1-micro \
 --image-family=ubuntu-2004-lts \
 --image-project=ubuntu-os-cloud \
 --network-interface subnet=$PREFIX-external-subnet,stack-type=IPV4_IPV6
    2. Record the IPv4 and IPv6 addresses assigned to the internal-vm.
      gcloud compute instances describe $PREFIX-internal-vm \
  --format='get(networkInterfaces[0].networkIP,networkInterfaces[0].ipv6Address)'
      Sample output:
      10.0.2.3        fd20:1fa:809f:2000:0:1:0:0

    Test Inbound Internet Traffic

    Access the external-vm to test internet inbound traffic through the IPv4/IPv6 external load balancer to the web application on internal-vm.
    Prerequisites:
    • Go to Policies Security and Add a security policy to allow web-browsing to the traffic flow.
    • Commit the changes.
    • In Cloud Shell, create default routes in the trust-vpc to steer IPv4/IPv6 traffic to the VM-Series trust interface for inspection.
      gcloud compute routes create ipv4-default \
--network=trust-vpc \
--destination-range=0.0.0.0/0 \
--next-hop-instance=vmseries \
--next-hop-instance-zone=us-central1-a

gcloud beta compute routes create ipv6-default \
--network=trust-vpc \
--destination-range=::0/0 \
--next-hop-instance=vmseries \
--next-hop-instance-zone=us-central1-a
    1. In the GCP cloud shell, SSH to the external VM.
      gcloud compute ssh your-domain@external-vm --zone=us-central1-a
    2. Attempt to reach the web application using the load balancer's IPv4 address.
      curl http://34.29.169.107:80/?[1-3]
    3. Attempt to reach the web application using the checksum neutral IPv6 address:
      curl -6 'http://[2600:1900:4000:5db5:8000:1:5eae:0]:80/?[1-3]'
    4. On the VM-Series, go to Monitor Logs Traffic and enter the below filter query to search for the inbound traffic:
      ( zone.src eq 'untrust' ) and ( zone.dst eq 'trust' ) and ( app eq
'web-browsing' )
      VM-Series monitors and Translates the inbound traffic for IPv4 and IPv6
      The traffic log monitor shows the VM-Series firewall correctly inspecting and translating both the IPv4 and IPv6 traffic.

    Destroy Deployment

    1. Delete the created cloud resources in GCP:
      gcloud config set project PROJECT_ID
gcloud config set compute/region REGION
gcloud config set compute/zone ZONE
export PREFIX=panw

gcloud compute instances delete $PREFIX-internal-vm --quiet

gcloud compute instances delete $PREFIX-external-vm --quiet

gcloud compute networks subnets delete $PREFIX-external-subnet --quiet

gcloud compute firewall-rules delete $PREFIX-ingress-external --quiet

gcloud compute networks delete $PREFIX-external-vpc --quiet

gcloud compute forwarding-rules delete $PREFIX-vmseries-extlb-ipv4 --quiet

gcloud compute forwarding-rules delete $PREFIX-vmseries-extlb-ipv6 --quiet

gcloud compute backend-services delete $PREFIX-vmseries-extlb --quiet

gcloud compute health-checks delete $PREFIX-vmseries-hc --quiet \
 --region=$(gcloud config get-value compute/region)

gcloud compute instance-groups managed delete $PREFIX-vmseries-mig --quiet \
 --region=$(gcloud config get-value compute/region)

gcloud compute instance-templates delete $PREFIX-vmseries-template --quiet

gcloud compute firewall-rules delete $PREFIX-ingress-trust-ipv6 --quiet

gcloud compute firewall-rules delete $PREFIX-ingress-trust --quiet

gcloud compute firewall-rules delete $PREFIX-ingress-untrust-ipv6 --quiet

gcloud compute firewall-rules delete $PREFIX-ingress-untrust --quiet

gcloud compute firewall-rules delete $PREFIX-ingress-mgmt --quiet

gcloud compute networks subnets delete $PREFIX-trust-subnet --quiet

gcloud compute networks subnets delete $PREFIX-untrust-subnet-lb --quiet

gcloud compute networks subnets delete $PREFIX-untrust-subnet --quiet

gcloud compute networks subnets delete $PREFIX-mgmt-subnet --quiet

gcloud compute networks delete $PREFIX-trust-vpc --quiet

gcloud compute networks delete $PREFIX-untrust-vpc --quiet

gcloud compute networks delete $PREFIX-mgmt-vpc --quiet

    © 2026 Palo Alto Networks, Inc. All rights reserved.