IPv6 Support

for Private App Access

External GlobalProtect mobile users connect to the Prisma Access network using an IPv4 VPN tunnel, and you configure internal IPv6 addressing in Prisma Access to allow the users to access private apps behind an IPv6 network.
Internal GlobalProtect mobile users at a remote network connect to Prisma Access using an IPv4 IPSec tunnel, and you configure internal IPv6 addressing in Prisma Access so that those users can access private apps behind an IPv6 network. See Private App Access Over IPv6 Examples for examples.

Enable IPv6 and specify an IPv6 subnet in your Infrastructure Subnet to establish an IPv6 network infrastructure to enable communication between your remote networks (branch locations), mobile users, and service connections (data center or headquarters locations).
For a Mobile Users—GlobalProtect deployment, specify whether or not IPv6 networking should be utilized for the compute locations that are associated with your mobile user locations.
You can specify IPv6 mobile user IP address pools and IPv6 DNS server addresses as required.
For service connections and remote network connections, you can specify IPv6 addressing for the type of routing the connection uses (either static or BGP routes).
For static routes, specify an IPv6 address for the subnets used for the static routes.
For BGP routes, specify an IPv6
Peer Address
and
Local Address
.
You can also specify the transport method used to exchange BGP peering information. You can specify to use IPv4 to exchange all BGP peering information (including IPv4 and IPv6), use IPv6 to exchange all BGP peering information, or use IPv4 to exchange IPv4 BGP peering information and IPv6 to exchange IPv6 BGP peering information.
For remote networks, you can add IPv6 addresses for DNS servers.

Clean Pipe deployments
Traffic Steering (using traffic steering rules to redirect internet-bound traffic using a service connection)

Private App Access Over IPv6 Examples

The following figures provide examples of how you can access private apps using Prisma Access.

The following figure shows a mobile user accessing a private app at a branch location. The branch is connected to Prisma Access by a remote network connection. If your network uses IPv6, you can configure the Mobile User IP address pool (for mobile users), Infrastructure Subnet (for service connections), and static or BGP routing (for the remote network connections) to use IPv6 addressing to access the app.

The following figure shows a mobile user accessing a private app that is hosted at a data center connected to Prisma Access by a service connection. You can configure the Mobile User IP address pool (for mobile users) and Infrastructure Subnet (for service connections) to use IPv6 addressing to access the app.

The following figure shows an internal GlobalProtect user at a branch location connected to Prisma Access by a remote network accessing a private app that is hosted at a data center connected to Prisma Access by a service connection. You can configure the Infrastructure Subnet (for service connections) and static or BGP routing (for the service connections and remote network connections) to use IPv6 addressing to access the app.

The following figure shows a user at a branch location connected to Prisma Access by a remote network accessing a private app that is hosted at another branch location connected by a remote network connection. You can configure IPv6 addressing for static or BGP routing for the remote network connections to access the app.

The following figure shows a user at a branch location with IPv6 addressing accessing an external app. In this case, IPv4 routing is required to access the external app, regardless of your Prisma Access IPv6 configuration.

The same IPv4 requirement applies for external GlobalProtect users who access a public app.