NPTv6 Overview
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
NPTv6 Overview
This section describes IPv6-to-IPv6 Network Prefix Translation (NPTv6)
and how to configure it. NPTv6 is defined in RFC 6296. Palo Alto Networks
®
does
not implement all functionality defined in the RFC, but is compliant
with the RFC in the functionality it has implemented.NPTv6 performs stateless translation of one IPv6 prefix to another
IPv6 prefix. It is stateless, meaning that it does not keep track
of ports or sessions on the addresses translated. NPTv6 differs
from NAT66, which is stateful. Palo Alto Networks supports NPTv6 RFC 6296 prefix translation; it
does not support NAT66.
With the limited addresses in the IPv4 space, NAT was required
to translate private, non-routable IPv4 addresses to one or more
globally-routable IPv4 addresses. For organizations using IPv6 addressing,
there is no need to translate IPv6 addresses to IPv6 addresses due
to the abundance of IPv6 addresses. However, there are Reasons to Use NPTv6 to translate
IPv6 prefixes at the firewall.
It is important to understand that NPTv6 does not provide
security. It general, stateless network address translation does
not provide any security; it provides an address translation function.
NPTv6 does not hide or translate port numbers. You must set up firewall
security policies correctly in each direction to ensure that traffic
is controlled as you intended.
NPTv6 translates the prefix portion of an IPv6 address but not
the host portion or the application port numbers. The host portion
is simply copied, and therefore remains the same on either side
of the firewall. The host portion also remains visible within the
packet header.
NPTv6 is supported on the following firewall models (NPTv6 with
hardware lookup but packets go through the CPU):
- PA-7000 Series firewalls
- PA-5200 Series firewalls
- PA-3200 Series firewalls
- PA-800 firewall
- PA-220 firewall
VM-Series firewalls support NPTv6, but with no ability to have
hardware perform a session lookup.