When you configure a policy for NPTv6, the Palo Alto
firewall performs a static, one-to-one IPv6
translation in both directions. The translation is based on the
algorithm described in RFC 6296.
In one use case, the firewall performing NPTv6 is located between
an internal network and an external network (such as the Internet)
that uses globally routable prefixes. When datagrams are going in
the outbound direction, the internal source prefix is replaced with
the external prefix; this is known as source translation.
In another use case, when datagrams are going in the inbound
direction, the destination prefix is replaced with the internal
prefix (known as destination translation). The figure below illustrates
destination translation and a characteristic of NPTv6: only the
prefix portion of an IPv6 address is translated. The host portion
of the address is not translated and remains the same on either
side of the firewall. In the figure below, the host identifier is
111::55 on both sides of the firewall.
It is important to understand that NPTv6 does not provide security.
While you are planning your NPTv6 NAT policies, remember also to
configure security policies in each direction.
A NAT or NPTv6 policy rule cannot have both the Source Address
and the Translated Address set to Any.
In an environment where you want IPv6 prefix translation, three
firewall features work together: NPTv6 NAT policies, security policies,
The firewall does not translate the following:
Addresses that the firewall has in its Neighbor Discovery
The subnet 0xFFFF (in accordance with RFC 6296, Appendix B).
IP multicast addresses.
IPv6 addresses with a prefix length of /31 or shorter.
Link-local addresses. If the firewall is operating in virtual
wire mode, there are no IP addresses to translate, and the firewall
does not translate link-local addresses.
Addresses for TCP sessions that authenticate peers using
the TCP Authentication Option (RFC 5925).
When using NPTv6, performance for fast path traffic is impacted
because NPTv6 is performed in the slow path.
NPTv6 will work with IPSec IPv6 only if the firewall is originating
and terminating the tunnel. Transit IPSec traffic would fail because
the source and/or destination IPv6 address would be modified. A
NAT traversal technique that encapsulates the packet would allow
IPSec IPv6 to work with NPTv6.