Support for IPv6-Only GlobalProtect Deployments

You can now configure GlobalProtect gateways to assign only IPv6 addresses to connecting endpoints.
Software Support
: Starting with PAN-OS® 9.0
You can now configure GlobalProtect gateways with IP pools that use only IPv6 addresses. With this enhancement, GlobalProtect can support remote access deployments with end-to-end IPv6-only infrastructures. In PAN-OS 8.1 and earlier releases, you are required to configure IP pools with both IPv4 and IPv6 subnets or address ranges in order to assign IPv6 addresses to connecting endpoints.
  1. Enable tunneling.
    1. From your gateway configuration (
      Network
      GlobalProtect
      Gateways
      <gateway-config>
      ), select
      Agent
      Tunnel Settings
      to enable
      Tunnel Mode
      .
  2. Configure an IPv6-only IP pool.
    Use one of the following options to configure an IPv6-only IP pool at either the client level or the gateway level:
    You can configure an IP pool at only the client level (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    GlobalProtect Gateway Configuration
    Agent
    Client Settings
    <client-setting>
    Configs
    IP Pools
    ) or only the gateway level (
    Network
    GlobalProtect
    Gateways
    <gateway-config>
    GlobalProtect Gateway Configuration
    Agent
    Client IP Pool
    ).
    • To assign only IPv6 addresses to connecting endpoints with a specific client settings configuration, configure a client level IPv6-only IP pool:
      1. From your gateway configuration (
        Network
        GlobalProtect
        Gateways
        <gateway-config>
        ), select
        Agent
        Client Settings
        .
      2. Select an existing client settings configuration or
        Add
        a new one.
      3. Select
        IP Pools
        .
      4. In the IP Pool area,
        Add
        an IPv6 subnet or address range. To ensure proper routing back to the gateway, you must use a different range of IP addresses from those assigned to existing IP pools on the gateway (if applicable) and to the endpoints that are physically connected to your LAN.
      5. Click
        OK
        to save your client settings configuration.
    • To assign only IPv6 addresses to all endpoints that connect to the gateway, configure a global IPv6-only IP pool:
      1. From your gateway configuration (
        Network
        GlobalProtect
        Gateways
        <gateway-config>
        ), select
        Agent
        Client IP Pool
        .
      2. In the IP Pool area,
        Add
        an IPv6 subnet or address range. To ensure proper routing back to the gateway, you must use a different range of IP addresses from those assigned to the endpoints that are physically connected to your LAN.
  3. Save your gateway configuration.
    1. Click
      OK
      .
    2. Commit
      the changes.

Recommended For You