>
    Strata Copilot
    Create an NPTv6 Policy
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. NPTv6
    4. Create an NPTv6 Policy
    Download PDF
    Next-Generation Firewall

    Create an NPTv6 Policy

    Table of Contents

    Create an NPTv6 Policy

    Create an NPTv6 policy to translate one IPv6 prefix to another IPv6 prefix.
    Where Can I Use This?What Do I Need?
    • NGFW
    One of these licenses for Strata Cloud Manager managed NGFWs:
    • Strata Cloud Manager Essentials
    • Strata Cloud Manager Pro
    Perform this task when you want to configure a NAT NPTv6 policy to translate one IPv6 prefix to another IPv6 prefix. The prerequisites for this task are:
    • Enable IPv6. Select DeviceSetupSession. Click Edit and select IPv6 Firewalling.
    • Configure a Layer 3 Ethernet interface with a valid IPv6 address and with IPv6 enabled. Select NetworkInterfacesEthernet, select an interface, and on the IPv6 tab, select Enable IPv6 on the interface.
    • Create network security policy rules, because NPTv6 does not provide security.
    • Decide whether you want source translation, destination translation, or both.
    • Identify the zones to which you want to apply the NPTv6 policy.
    • Identify your original and translated IPv6 prefixes.
    In PAN-OS 11.1.5 and later releases, NPTv6 supports source translation for an interface that has a dynamically assigned IPv6 address prefix (assigned by DHCPv6, PPPoEv6, or a cellular/5G interface). Possible use cases are:
    • When the ISP does not provide prefix delegation (which is often the case for cellular/5G), NPTv6 is required. (If the ISP provides prefix delegation, the LAN segment automatically provisions the IPv6 network and NPTv6 isn't necessary.)
    • When you don't want to expose your internal network, use NPTv6 to keep it hidden.
    • When you have redundant connectivity to multiple ISPs, this resulting, for example, in one connection using PPPoEv6 with a /56 prefix and another connection using DHCPv6 with a /61 prefix. One ISP will block your traffic if you source your address from another ISP. The solution is to use NPTv6 to hide the network.
    1. Create a new NPTv6 policy.
      1. Select PoliciesNAT and click Add.
      2. On the General tab, enter a descriptive Name for the NPTv6 policy rule.
      3. (Optional) Enter a Description and Tag.
      4. For NAT Type, select NPTv6.
    2. Specify the match criteria for incoming packets; packets that match all of the criteria are subject to the NPTv6 translation.
      Zones are required for both types of translation.
      1. On the Original Packet tab, for Source Zone, leave Any or Add the source zone to which the policy applies.
      2. Enter the Destination Zone to which the policy applies.
      3. (Optional) Select a Destination Interface.
        (PAN-OS 11.1.5 and later releases) You can select an interface that has a dynamically assigned IPv6 address prefix (assigned by DHCPv6, PPPoEv6, or a cellular/5G interface).
      4. (Optional) Select a Service to restrict what type of packets are translated.
      5. If you're doing source translation, enter a Source Address or select Any. The address could be an address object. The following constraints apply to Source Address and Destination Address:
        • Prefixes of Source Address and Destination Address for the Original Packet and Translated Packet must be in the format xxxx:xxxx::/yy, although leading zeros in the prefix can be dropped.
        • The IPv6 address can't have an interface identifier (host) portion defined.
        • The range of supported prefix lengths is /32 to /112.
        • The Source Address and Destination Address can't both be set to Any.
      6. If you're doing source translation, you can optionally enter a Destination Address. If you're doing destination translation, the Destination Address is required. The destination address (an address object is allowed) must be a netmask, not just an IPv6 address, and not a range. The prefix length must be a value from /32 to /112, inclusive. For example, 2001:db8::/32.
    3. Specify the translated packet.
      1. On the Translated Packet tab, if you want to do source translation, in the Source Address Translation section, for Translation Type, select Static IP. If you don't want to do source translation, select None.
        (PAN-OS 11.1.5 and later releases) For source translation for an interface that has a dynamically assigned IPv6 address (assigned by DHCPv6, PPPoEv6, or a cellular/5G interface), select Dynamic IP.
      2. If you chose Static IP, the Translated Address field appears. Enter the translated IPv6 prefix or address object. See the constraints listed in the prior step.
        It's a best practice to configure your Translated Address to be the prefix of the untrust interface address of your firewall. For example, if your untrust interface has the address 2001:1a:1b:1::99/64, make your Translated Address 2001:1a:1b:1::0/64.
      3. (PAN-OS 11.1.5 and later releases) If you chose Dynamic IP, select the Ethernet interface or cellular interface that has the dynamically assigned IPv6 prefix you want to translate. The IPv6 address of the interface must have a prefix length between /32 and /64, inclusive. (Only interfaces that have a dynamically assigned IPv6 prefix appear in the dropdown.)
      4. (Optional) Select Bi-directional if you want the firewall to create a corresponding NPTv6 translation in the opposite direction of the translation you configure.
        If you enable Bi-directional translation, it's important to make sure you have Security policy rules in place to control the traffic in both directions. Without such policy rules, Bi-directional translation allows packets to be automatically translated in both directions, which you might not want.
      5. If you want to do destination translation, select Destination Address Translation. In the Translated Address field, choose an address object or enter your internal destination address.
      6. Click OK.
    4. Configure NDP Proxy.
      When you configure the firewall to act as an NDP Proxy for addresses, it allows the firewall to send Neighbor Discovery (ND) advertisements and respond to ND solicitations from peers that are asking for MAC addresses of IPv6 prefixes assigned to devices behind the firewall.
      1. Select NetworkInterfacesEthernet and select an interface.
      2. On the AdvancedNDP Proxy tab, select Enable NDP Proxy and click Add.
      3. Enter the IP Address(es) for which NDP Proxy is enabled. It can be an address, a range of addresses, or a prefix and prefix length. The order of IP addresses does not matter. These addresses are ideally the same as the Translated Addresses that you configured in an NPTv6 policy.
        If the address is a subnet, the NDP Proxy will respond to all addresses in the subnet, so you should list the neighbors in that subnet with Negate selected, as described in the next step.
      4. (Optional) Enter one or more IPv6 addresses for which you don't want NDP Proxy enabled, and select Negate. For example, from an IP address range or prefix range configured in the prior step, you could negate a smaller subset of addresses. It's recommended that you negate the addresses of the neighbors of the firewall.
    5. Commit the configuration.
      Click OK and Commit.

    © 2026 Palo Alto Networks, Inc. All rights reserved.