Create an NPTv6 Policy
Table of Contents
10.1
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Create an NPTv6 Policy
Perform this task when you want to configure
a NAT NPTv6 policy
to translate one IPv6 prefix to another IPv6 prefix. The prerequisites
for this task are:
- Enable IPv6. Select. ClickDeviceSetupSessionEditand selectIPv6 Firewalling.
- Configure a Layer 3 Ethernet interface with a valid IPv6 address and with IPv6 enabled. Select, select an interface, and on theNetworkInterfacesEthernetIPv6tab, selectEnable IPv6 on the interface.
- Create network security policies, because NPTv6 does not provide security.
- Decide whether you want source translation, destination translation, or both.
- Identify the zones to which you want to apply the NPTv6 policy.
- Identify your original and translated IPv6 prefixes.
- Create a new NPTv6 policy.
- Selectand clickPoliciesNATAdd.
- On theGeneraltab, enter a descriptiveNamefor the NPTv6 policy rule.
- (Optional) Enter aDescriptionandTag.
- ForNAT Type, selectNPTv6.
- Specify the match criteria for incoming packets; packets that match all of the criteria are subject to the NPTv6 translation.Zones are required for both types of translation.
- On theOriginal Packettab, forSource Zone, leaveAnyorAddthe source zone to which the policy applies.
- Enter theDestination Zoneto which the policy applies.
- (Optional) Select aDestination Interface.
- (Optional) Select aServiceto restrict what type of packets are translated.
- If you are doing source translation, enter aSource Addressor selectAny. The address could be an address object. The following constraints apply toSource AddressandDestination Address:
- Prefixes ofSource AddressandDestination Addressfor theOriginal PacketandTranslated Packetmust be in the format xxxx:xxxx::/yy, although leading zeros in the prefix can be dropped.
- The IPv6 address cannot have an interface identifier (host) portion defined.
- The range of supported prefix lengths is /32 to /64.
- TheSource AddressandDestination Addresscannot both be set toAny.
- If you are doing source translation, you can optionally enter aDestination Address. If you are doing destination translation, theDestination Addressis required. The destination address (an address object is allowed) must be a netmask, not just an IPv6 address and not a range. The prefix length must be a value from /32 to /64, inclusive. For example, 2001:db8::/32.
- Specify the translated packet.
- On theTranslated Packettab, if you want to do source translation, in the Source Address Translation section, forTranslation Type, selectStatic IP. If you do not want to do source translation, selectNone.
- If you choseStatic IP, theTranslated Addressfield appears. Enter the translated IPv6 prefix or address object. See the constraints listed in the prior step.It is a best practice to configure yourTranslated Addressto be the prefix of the untrust interface address of your firewall. For example, if your untrust interface has the address 2001:1a:1b:1::99/64, make yourTranslated Address2001:1a:1b:1::0/64.
- (Optional) SelectBi-directionalif you want the firewall to create a corresponding NPTv6 translation in the opposite direction of the translation you configure.If you enableBi-directionaltranslation, it is very important to make sure you have Security policy rules in place to control the traffic in both directions. Without such policy rules,Bi-directionaltranslation allows packets to be automatically translated in both directions, which you might not want.
- If you want to do destination translation, selectDestination Address Translation. In theTranslated Addressfield, choose an address object or enter your internal destination address.
- ClickOK.
- Configure NDP Proxy.When you configure the firewall to act as an NDP Proxy for addresses, it allows the firewall to send Neighbor Discovery (ND) advertisements and respond to ND solicitations from peers that are asking for MAC addresses of IPv6 prefixes assigned to devices behind the firewall.
- Selectand select an interface.NetworkInterfacesEthernet
- On thetab, selectAdvancedNDP ProxyEnable NDP Proxyand clickAdd.
- Enter theIP Address(es)for which NDP Proxy is enabled. It can be an address, a range of addresses, or a prefix and prefix length. The order of IP addresses does not matter. These addresses are ideally the same as the Translated Addresses that you configured in an NPTv6 policy.If the address is a subnet, the NDP Proxy will respond to all addresses in the subnet, so you should list the neighbors in that subnet withNegateselected, as described in the next step.
- (Optional) Enter one or more addresses for which you do not want NDP Proxy enabled, and selectNegate. For example, from an IP address range or prefix range configured in the prior step, you could negate a smaller subset of addresses. It is recommended that you negate the addresses of the neighbors of the firewall.
- Commit the configuration.ClickOKandCommit.