If your organization uses IPv6 addressing for your internal
resources, Prisma Access makes it possible for you to access internal
(private) apps that are behind IPv6 addresses. You can access these
apps either from a data center behind a service connection or from
a branch office behind a remote network connection.
You cannot access external SaaS or public apps using IPv6; IPv4 networking
is still required to access external apps.
Users access
internal apps through GlobalProtect (for external GlobalProtect
mobile users) or through a remote network IPSec tunnel (for internal
GlobalProtect mobile users in a branch office accessing Prisma Access
through a remote network connection). Either internal or external
GlobalProtect mobile users can access private apps over IPv6.
External GlobalProtect mobile users connect to the Prisma
Access network using an IPv4 VPN tunnel, and you configure internal
IPv6 addressing in Prisma Access to allow the users to access private
apps behind an IPv6 network.
Internal GlobalProtect mobile users at a remote network connect to Prisma Access using an IPv4
IPSec tunnel, and you configure internal IPv6 addressing in Prisma Access so
that those users can access private apps behind an IPv6 network. See Private App Access Over IPv6 Examples for
examples.
You
configure IPv6 in the following Prisma Access network components:
Enable IPv6 and specify an IPv6 subnet in your Infrastructure Subnet to
establish an IPv6 network infrastructure to enable communication
between your remote networks (branch locations), mobile users, and
service connections (data center or headquarters locations).
For a Mobile Users—GlobalProtect deployment, specify whether
or not IPv6 networking should be utilized for the compute locations that
are associated with your mobile user locations.
You can specify
IPv6 mobile user IP address pools and
IPv6 DNS server addresses as required.
For service connections and remote network connections, you
can specify IPv6 addressing for the type of routing the connection
uses (either static or BGP routes).
For static routes,
specify an IPv6 address for the subnets used for the static routes.
For BGP routes, specify an IPv6
Peer Address
and
Local Address
.
You
can also specify the transport method used to exchange BGP peering
information. You can specify to use IPv4 to exchange all BGP peering
information (including IPv4 and IPv6), use IPv6 to exchange all
BGP peering information, or use IPv4 to exchange IPv4 BGP peering
information and IPv6 to exchange IPv6 BGP peering information.
For remote networks, you can add IPv6 addresses for DNS servers.
The
following deployments do not support IPv6 addressing:
Clean Pipe deployments
Traffic Steering (using traffic steering rules to redirect internet-bound traffic using a service
connection)
Private App Access Over IPv6 Examples
The following figures provide examples of how you can access private apps using
Prisma Access.
The following figure shows a mobile user accessing a private app at a branch
location. The branch is connected to Prisma Access by a remote network connection.
If your network uses IPv6, you can configure the Mobile User IP address pool (for
mobile users), Infrastructure Subnet (for service connections), and static or BGP
routing (for the remote network connections) to use IPv6 addressing to access the
app.
The following figure shows a mobile user accessing a private app that is hosted at a
data center connected to Prisma Access by a service connection. You can configure
the Mobile User IP address pool (for mobile users) and Infrastructure Subnet (for
service connections) to use IPv6 addressing to access the app.
The following figure shows an internal GlobalProtect user at a branch location
connected to Prisma Access by a remote network accessing a private app that is
hosted at a data center connected to Prisma Access by a service connection. You can
configure the Infrastructure Subnet (for service connections) and static or BGP
routing (for the service connections and remote network connections) to use IPv6
addressing to access the app.
The following figure shows a user at a branch location connected to Prisma Access by
a remote network accessing a private app that is hosted at another branch location
connected by a remote network connection. You can configure IPv6 addressing for
static or BGP routing for the remote network connections to access the app.
The following figure shows a user at a branch location with IPv6 addressing accessing
an external app. In this case, IPv4 routing is required to access the external app,
regardless of your Prisma Access IPv6 configuration.
The same IPv4 requirement applies for external GlobalProtect users who access a
public app.