IPv6 Support for Prisma Access Agent
Configure Prisma Access Agent to steer IPv4 and IPv6 traffic using forwarding
profiles with support for dual-stack network environments.
| Where Can I Use This? | What Do I Need? |
|---|
- Prisma Access (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Panorama)
- NGFW (Managed by Panorama)
|
- Check the prerequisites for the deployment you're using
- PAN-OS version 11.2.7-h10 or later
- Minimum Prisma Access Agent version: 26.1.1
- macOS 14 and later or Windows 10 version 2024 and later desktop
devices
- Contact your Palo Alto Networks account representative to
activate the Prisma Access Agent feature
|
IPv6 support enables Prisma Access Agent to operate in dual-stack (IPv6 and IPv4)
networks. As enterprises transition to
IPv6 to address IPv4 address exhaustion and meet modern network requirements, the agent
provides the flexibility to maintain secure connectivity and consistent policy
enforcement across different network types.
Dual-Stack Network Support
The current release supports dual-stack network environments where both IPv4 and IPv6
protocols are supported. Your endpoints receive both address types from the network,
and the agent creates a virtual adapter that supports both protocols. The agent
evaluates forwarding profile rules against both IPv4 and IPv6 destinations to
determine how to route traffic.
You configure IPv6 support through Strata Cloud Manager or Panorama. The gateway
configuration requires an IPv6 address pool to enable IPv6 features. You define
traffic steering behavior through forwarding profile destination objects using IPv6
addresses in standard notation or IPv6 subnets in CIDR notation. These IPv6
destinations work alongside your existing IPv4 rules. You can also configure IPv6
DNS servers to support name resolution.
Traffic Steering and Connectivity
When you configure forwarding profile rules with IPv6 destinations, not all
connectivity methods are supported. However, you can steer the traffic across the
tunnel, direct, block, or bypass. An IPv4 subnet rule only matches IPv4 traffic and
an IPv6 subnet rule only matches IPv6 traffic. For applications that support both
protocols, use fully qualified domain names in your forwarding profile rules rather
than specific IP addresses.
The agent supports creating tunnels over both IPv4 and IPv6 transport networks. The
agent receives IP addresses from both pools configured on the gateway when operating
in dual-stack mode.
Internal Host Detection helps the agent determine when users are in your corporate
office network and automatically suppress the tunnel. However, you can specify only
IPv4 addresses for the Internal Host Detection reverse DNS lookup at this time. The
agent performs reverse DNS queries for both address types and suppresses the tunnel
if either query returns a domain match.
Visibility and Compatibility
You can gain visibility into your deployment in the following ways:
The Endpoint Manager inventory displays both IPv4 and IPv6 addresses assigned
to managed endpoints in the following manner: You can view and filter the
inventory by private IPv6 addresses.
The agent UI displays both address types when connected.
The PACLI commands show IPv6 tunnel information and forwarding verdicts. The
PAS.log and NetworkManager.log
files contain IPv6-related information such as received IPv6 pools and
assigned addresses.
Prisma Access Agent versions prior to 26.1.1 do not support IPv6 subnet rules in
forwarding profiles. You should maintain
IPv6 sinkhole configuration until all
agents upgrade to version 26.1.1 or later to prevent unintended IPv6 traffic
leakage.
