Enable IPv6 Networking for Mobile Users—GlobalProtect Deployment
Focus
Focus
Prisma Access

Enable IPv6 Networking for Mobile Users—GlobalProtect Deployment

Table of Contents

Enable IPv6 Networking for Mobile Users—GlobalProtect Deployment

How to enable IPv6 networking for a Prisma Access Mobile Users—GlobalProtect deployment.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license version 2.2 Preferred and later
  • Native IPv6 access to public and private apps requires the following minimum releases:
    • Prisma Access (Managed by Strata Cloud Manager): June 2024 release
    • Prisma Access (Managed by Panorama): Prisma Access 5.1.1 for new deployments only.
    Any other deployments (including existing Prisma Access (Managed by Panorama) deployments) support private app access only.
In addition to specifying mobile user IP address pools, you must configure IPv6 Availability for your Mobile Users—GlobalProtect deployments. If your network uses IPv6 DNS servers to resolve internal domains, you can also specify IPv6 addresses for primary and secondary DNS servers, as shown in the following section.

Enable IPv6 Networking for Mobile Users—GlobalProtect Deployment (Strata Cloud Manager)

In addition to specifying mobile user IP address pools, you must configure IPv6 Availability for your Mobile Users—GlobalProtect deployments. If your network uses IPv6 DNS servers to resolve internal domains, you can also specify IPv6 addresses for primary and secondary DNS servers, as shown in the following section.
  1. Plan if you want to deploy IPv6 across your entire Prisma Access deployment, or for only a certain number of compute locations.
  2. Configure IPv6 availability for the regions where you want to deploy IPv6.
    1. Select ManageService SetupGlobalProtect and select the gear icon to edit the Infrastructure Settings.
      If you're using Strata Cloud Manager, go to WorkflowsPrisma Access SetupGlobalProtect.
    2. In the IPv6 Settings section, choose the locations you want to Enable IPv6 for.
      All locations are associated to a compute location. If locations in a compute location do not have IPv6 enabled, leave that compute location deselected.
  3. (Optional) If your internal DNS servers use are reachable by IPv6 addresses, select Add Region from the Client DNS section, select the check box to Resolve Internal Domains, Add a rule or specify the default rule, and specify Custom DNS Server IPv6 addresses for the Primary DNS and Secondary DNS server.
    If you enter IPv6 addresses for DNS servers, you must also have IPv6 addresses in your mobile user IP address pool.
    You can enter any combination of IPv4 or IPv6 addresses for primary and secondary DNS servers. If you enter an IPv6 address for the primary DNS server and an IPv4 address for the secondary DNS server, and a DNS query is received from a compute location that does not have IPv6 Availability enabled, Prisma Access uses the secondary DNS server because it uses an IPv4 address.
    IPv4 addresses use A records, while IPv6 addresses use AAAA records. Some DNS servers can perform AAAA DNS lookups over IPv4 transport; therefore, you might not need a server with an IPv6 IP address.
  4. (Optional) If you haven't yet completed the mobile users configuration, complete it now. See Set Up GlobalProtect Mobile Users for details.
  5. Push Config to deploy your changes to you network.

Enable IPv6 Networking for Mobile Users—GlobalProtect Deployment (Panorama)

In addition to specifying mobile user IP address pools, you must configure IPv6 Availability for your Mobile Users—GlobalProtect deployments. If your network uses IPv6 DNS servers to resolve internal domains, you can also specify IPv6 addresses for primary and secondary DNS servers, as shown in the following section.
  1. Plan if you want to deploy IPv6 across your entire <ph keyref="pa"/> deployment, or for only a certain number of compute locations.
  2. Configure IPv6 availability for the regions where you want to deploy IPv6.
    1. In the IPv6 Availability tab, Enable IPv6 for the locations for which you want to enable IPv6.
      All locations are associated to a compute location. If locations in a compute location do not have IPv6 enabled, leave that compute location deselected.
  3. (Optional) If your internal DNS servers use are reachable by IPv6 addresses, click the Network Services tab, Add a rule or specify the default rule, and specify Custom DNS Server IPv6 addresses for the Primary DNS and Secondary DNS server.
    If you enter IPv6 addresses for DNS servers, you must also have IPv6 addresses in your mobile user IP address pool.
    You can enter any combination of IPv4 or IPv6 addresses for primary and secondary DNS servers. If you enter an IPv6 address for the primary DNS server and an IPv4 address for the secondary DNS server, and a DNS query is received from a compute location that does not have IPv6 Availability enabled, <ph keyref="pa"/> uses the secondary DNS server because it uses an IPv4 address.
    IPv4 addresses use A records, while IPv6 addresses use AAAA records. Some DNS servers can perform AAAA DNS lookups over IPv4 transport; therefore, you might not need a server with an IPv6 IP address.
  4. (Optional) If you have not yet completed the mobile users configuration, complete it now. See Set Up GlobalProtect Mobile Users for details.
  5. Commit and Push your changes.