The management interface can receive a dynamic IPv6 address assignment by using
either stateful DHCPv6 or SLAAC with stateless DHCPv6.
The management (MGT) interface on the NGFW now supports dynamic IPv6 address
assignment. Configuring the MGT interface for dynamic IPv6 address assignment
(rather than a static address) makes it easier to insert and manage the firewall in
an IPv6 network.
When you configure the MGT interface, you'll notice new IPv4 and IPv6 tabs to
separate the configurations.
You have two types of addressing to choose from: stateful or stateless. On the
network segment, you control the router where you set flags to indicate that the MGT
interface will be one of the following:
- A stateful DHCPv6 client, which receives its IPv6 address with prefix length and
other configuration information from a DHCPv6 server.
- An IPv6 stateless address autoconfiguration (SLAAC) client, which autogenerates
its IPv6 address. A stateless IPv6 address avoids a DHCPv6 server having to
store dynamic state information about clients; such avoidance is helpful in
environments with a large number of endpoints.
The firewall uses Neighbor Discovery Protocol (NDP) to send a Router Solicitation to
all routers on the link. The flags in the Router Advertisement (RA) that the sole
router (or preferred router) on the link sends to the firewall control whether the
firewall will use SLAAC or stateful DHCPv6 to get a dynamic address for the MGT
interface.
However, the current situation is that when the Autonomous (A) flag is set in the RA
message, the firewall chooses both a DHCPv6 address and a SLAC address. Ideally, the
firewall should choose only the SLAAC address and shouldn't send a DHCPv6 Solicit
message. As a result of this known issue, if there is a DHCPv6 server on the segment
and it can assign an IPv6 address, the firewall prefers DHCPv6 address assignment
over SLAAC.
You specify either a static IPv6 default gateway address or request a dynamic IPv6
default gateway address, which the firewall learns from the RA that the router
sends. Even if you configure the MGT interface with a static IPv6 address, you now
have this same choice for configuring the default gateway.
Therefore, you have four possible options for configuring the MGT interface and its
default gateway:
- Static IPv6 address and static IPv6 default gateway address
- Static IPv6 address and dynamic IPv6 default gateway address
- Dynamic IPv6 address and static IPv6 default gateway address
- Dynamic IPv6 address and dynamic IPv6 default gateway address
Configuring the MGT interface as a DHCPv6 client involves requesting a Non-Temporary
or Temporary Address, deciding on the Rapid Commit option, and specifying the DHCPv6
Unique ID type.
