>
    Enable IPv6 Networking for Remote Networks
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. IPv6 Support
    6. Enable IPv6 Networking for Remote Networks
    Download PDF
    Prisma Access

    Enable IPv6 Networking for Remote Networks

    Table of Contents

    Enable IPv6 Networking for Remote Networks

    Enable IPv6 networking in a Prisma Access remote network deployment.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license version 2.2 Preferred and later
    • Native IPv6 access to public and private apps requires the following minimum releases:
      • Prisma Access (Managed by Strata Cloud Manager): June 2024 release
      • Prisma Access (Managed by Panorama): Prisma Access 5.1.1 for new deployments only.
      Any other deployments (including existing Prisma Access (Managed by Panorama) deployments) support private app access only.
    For remote network connections, you can use IPv6 subnets for static routes. For BGP routing, you can enter IPv6 peer addresses and specify that BGP use IPv6 routing only or both IPv4 and IPv6 routing.
    To configure IPv6 networking for remote network connections, complete the following task.

    Enable IPv6 Networking for Remote Networks (Strata Cloud Manager)

    Enable IPv6 networking in a Prisma Access remote network deployment.
    1. Select WorkflowsPrisma Access SetupRemote Networksand Add Remote Networks.
    2. Enable IPv6.
    3. Add a new remote network connection or select an existing remote network connection to edit it.
    4. Set up IPv6 routing for your remote network.
      1. (Static Routing Deployments Only) Enter one or more Corporate Subnets in the Static Routes tab.
      2. (BGP Routing Deployments Only) Specify the method to exchange IPv4 and IPv6 BGP routes; then, enter an IPv6 Peer Address and Local Address.
        • To use a single IPv4 BGP session to exchange both IPv4 and IPv6 BGP peering information, select Exchange both IPv4 and IPv6 routes over IPv4 peering.
        • To an IPv4 BGP session to exchange IPv4 BGP peering information and an IPv6 session to exchange IPv6 BGP peering information, select Exchange IPv4 routes over IPv4 peering and IPv6 routes over IPv6 peering.
        • To use a single IPv6 BGP session to exchange IPv6 BGP peering information, select Exchange IPv6 routes over IPv6 peering.
      3. If your secondary WAN uses a different peer or local address, deselect Same as Primary WAN and enter the IPv6 Peer Address and Local Address for the secondary WAN.
    5. (Optional) If your internal DNS servers use are reachable by IPv6 addresses, select WorkflowsPrisma Access SetupRemote NetworksAdvanced Settings find DNS Proxy, Add a rule or specify the default rule, and specify Custom DNS Server IPv6 addresses for the Primary DNS and Secondary DNS server.
      Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. If you do not specify any settings, Prisma Access does not proxy DNS requests for remote networks. You also need to select a Region.
      You can enter any combination of IPv4 or IPv6 addresses for primary and secondary DNS servers.
      • IPv4 addresses use A records, while IPv6 addresses use AAAA records. Some DNS servers can perform AAAA DNS lookups over IPv4 transport; therefore, you might not need a server with an IPv6 IP address.
    6. If you have not yet completed the remote network connection setup, complete it now.
      IPv6 internet access for remote network connections is enabled by an underlay connection, in which IPv6 traffic is passed through an IPv4 tunnel.
    7. Push Config to deploy your changes to you network.

    Enable IPv6 Networking for Remote Networks (Panorama)

    Enable IPv6 networking in a Prisma Access remote network deployment.
    1. (Optional) Enter IPv6 addresses to your custom DNS server proxy configuration.
      1. Select PanoramaCloud ServicesConfigurationRemote Networks and edit the settings by clicking the gear icon in the Settings area.
      2. In the DNS Proxy area, enter IPv6 Custom DNS Server addresses for your DNS proxy settings.
    2. Select PanoramaCloud ServicesConfigurationRemote Networks.
    3. Add a new remote network connection or select an existing remote network connection to edit it.
    4. Enable IPv6.
    5. Set up IPv6 routing for your remote network.
      1. (Static Routing Deployments Only) Enter one or more Corporate Subnets in the Static Routes tab.
      2. (BGP Routing Deployments Only) Specify the method to exchange IPv4 and IPv6 BGP routes; then, enter an IPv6 Peer Address and Local Address.
        • To use a single IPv4 BGP session to exchange both IPv4 and IPv6 BGP peering information, select Exchange both IPv4 and IPv6 routes over IPv4 peering.
        • To an IPv4 BGP session to exchange IPv4 BGP peering information and an IPv6 session to exchange IPv6 BGP peering information, select Exchange IPv4 routes over IPv4 peering and IPv6 routes over IPv6 peering.
        • To use a single IPv6 BGP session to exchange IPv6 BGP peering information, select Exchange IPv6 routes over IPv6 peering.
      3. If your secondary WAN uses a different peer or local address, deselect Same as Primary WAN and enter the IPv6 Peer Address and Local Address for the secondary WAN.
    6. (Optional) If your internal DNS servers use are reachable by IPv6 addresses, select PanoramaCloud ServicesConfigurationRemote NetworkSettings, click the gear icon to edit the settings, select the DNS Proxy tab, Add a rule or specify the default rule, and specify Custom DNS Server IPv6 addresses for the Primary DNS and Secondary DNS server.
      Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. If you do not specify any settings, Prisma Access does not proxy DNS requests for remote networks. You also need to select a Region.
      You can enter any combination of IPv4 or IPv6 addresses for primary and secondary DNS servers.
      IPv4 addresses use A records, while IPv6 addresses use AAAA records. Some DNS servers can perform AAAA DNS lookups over IPv4 transport; therefore, you might not need a server with an IPv6 IP address.
    7. If you have not yet completed the remote network connection setup, complete it now.
    8. Commit and Push your changes.
    9. Select PanoramaCloud ServicesStatusNetwork DetailsRemote Networks and make a note of the EBGP Router addresses.
      After you commit your changes, you will have an IPv6 EBGP Router addresses for service connections.
      Because the IPSec tunnel used for the remote network connection uses IPv4 addressing, the Service IP Address stays as an IPv4 address.
      IPv6 internet access for remote network connections is enabled by an underlay connection, in which IPv6 traffic is passed through an IPv4 tunnel.

    © 2025 Palo Alto Networks, Inc. All rights reserved.