IPv6 Traffic Handling for Prisma Access Agent on Linux
Understand how Prisma Access Agent on Linux selectively blocks tunnel-routed
IPv6 traffic to trigger IPv4 fallback when the tunnel lacks IPv6 support.
| Where Can I Use This? | What Do I Need? |
- Prisma Access (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Panorama)
- NGFW (Managed by Panorama)
|
- Check the prerequisites for the deployment you're
using
- Prisma Access Agent version 26.2.2 or later
- Linux desktop devices
|
Prisma® Access Agent on Linux prevents IPv6 connection timeouts when the VPN tunnel does
not support IPv6. Without this feature, applications attempting IPv6 connections through
the tunnel experience 20–30 second timeouts because IPv6 packets enter a tunnel that
cannot route them. The agent drops only the IPv6 connections that can't be routed
through the tunnel. Modern applications fall back to IPv4 automatically in
approximately 50–300 milliseconds.
This behavior differs from the
IPv6 sinkhole feature available on macOS and Windows. On
Linux, no gateway-side configuration is required. Direct-routed IPv6 traffic and all
IPv6 traffic when the tunnel is disconnected continue to work normally.
Traffic Routing Behavior
The following table summarizes how the agent routes different types of IPv6
traffic:
| Traffic Type | Routing Decision | Result |
| IPv6 to a tunnel-routed destination | Tunnel | Dropped — triggers IPv4 fallback |
| IPv6 to a direct-routed destination | Direct | Allowed via physical interface |
| IPv6 (any) when the tunnel is disconnected | N/A | Allowed — native IPv6 works normally |
| DNS to IPv4 DNS servers | Any | Works normally — both IPv4 and IPv6 results returned |
Limitations
Keep the following limitations in mind when using IPv6 traffic handling on Linux
endpoints:
Forwarding profile rules for IPv6 destinations must use
destination-based matching
On Linux, the agent cannot identify the source application for IPv6
connections. Forwarding profile rules that match IPv6 destinations must
use destination-based criteria only. Application-based matching is not
supported for IPv6 traffic on Linux.
Legacy applications without automatic IPv4 fallback may experience delays
Applications without automatic IPv4 fallback may wait 20–30 seconds before
falling back to IPv4. Update the application to a version that supports
automatic IPv4 fallback, or configure the application to use IPv4
only.