>
    Strata Copilot
    Native IPv6 Support for Prisma Access Service Connections
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Advanced Deployments
    5. IPv6 Support
    6. Native IPv6 Support for Prisma Access Service Connections
    Download PDF
    Prisma Access

    Native IPv6 Support for Prisma Access Service Connections

    Table of Contents

    Native IPv6 Support for Prisma Access Service Connections

    IPv6 support for Prisma® Access service connections to provide end-to-end IPv6 WAN connectivity for your remote networks.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Panorama Managed)
    • Prisma Access license
    • Prisma Access 6.2
    Native IPv6 support for Prisma Access service connections extends your WAN connectivity, enabling end-to-end IPv6 communication between your on-premises networks and Prisma Access. This feature allows your organization to deploy IPv6-only environments and meet compliance requirements without requiring IPv4-to-IPv6 transformations for your IPv6 traffic.
    Your service connections transform into dual-stack entities, processing both IPv4 and IPv6 traffic. Customer premises edge devices establish secure IPsec tunnels with these SCs using IKE gateways configured for IPv6. A public IPv6 address is assigned to the SC's ethernet1/1 interface, while the infrastructure IPv6 address resides on the loopback.1 interface.
    Between your SCs and CE devices, dedicated IPv6 IPsec tunnels carry both IPv6 and IPv4 data traffic. Within the Prisma Access core, both traffic types traverse IPv4 IPsec tunnels using IPv6-over-IPv4 routing. Routing information is exchanged through dual BGP sessions between your SCs and CE devices: one IPv6 EBGP and one IPv4 EBGP session. Inside the Prisma Access core, a single IPv4 BGP session manages both IPv4 and IPv6 routes through IPv6-over-IPv4 routing.
    The underlying routing infrastructure manages route distribution and forwarding for both IPv4 and IPv6 traffic. IPv6 tunnel monitoring ensures the health and availability of your IPv6 IPsec tunnels, automatically withdrawing static routes upon tunnel failure. Existing Prisma Access deployments can migrate to support native IPv6 by transitioning your virtual private cloud (VPC) infrastructure, Prisma Access instances, and data plane to dual-stack operation.

    Configure Native IPv6 Support for Prisma Access Service Connections

    Use this procedure to enable native IPv6 support for Prisma Access service connections, allowing end-to-end IPv6 WAN connectivity to your remote networks.
    1. Navigate to PanoramaCloud ServicesConfigurationService SetupSettings.
    2. Select the Settings gear.
    3. Enable IPv6 to activate IPv6 capabilities across your Prisma Access deployment.
    4. Configure the IPv6 address with a subnet.
    5. Click Enable IPv6 WAN, and select OK.

    Configure the IKE Profile

    1. Navigate to Network ProfilesIKE Gateway
    2. Add a new or modify an existing IKE gateway.
    3. Select the IPv6 Address Type and click OK.

    Configure an IPsec Tunnel

    1. Navigate to IPsec Tunnels.
    2. Add a new or modify an existing IPsec tunnel.
    3. Select the IPv6 Address Type.
    4. Ensure Tunnel Monitor is enabled and the Destination IP is an IPv6 address.

    © 2026 Palo Alto Networks, Inc. All rights reserved.