IPv6 Support for Private App Access
Focus
Focus

IPv6 Support for Private App Access

Table of Contents

IPv6 Support for Private App Access

Configure IPv6 in Prisma Access to let mobile users access private apps behind IPv6 addresses.
If your organization uses IPv6 addressing for your internal resources, Prisma Access makes it possible for you to access internal (private) apps that are behind IPv6 addresses. You can access these apps either from a data center behind a service connection or from a branch office behind a remote network connection.
You cannot access external SaaS or public apps using IPv6; IPv4 networking is still required to access external apps.
Users access internal apps through GlobalProtect (for external GlobalProtect mobile users) or through a remote network IPSec tunnel (for internal GlobalProtect mobile users in a branch office accessing Prisma Access through a remote network connection). Either internal or external GlobalProtect mobile users can access private apps over IPv6.
  • External GlobalProtect mobile users connect to the Prisma Access network using an IPv4 VPN tunnel, and you configure internal IPv6 addressing in Prisma Access to allow the users to access private apps behind an IPv6 network.
  • Internal GlobalProtect mobile users at a remote network connect to Prisma Access using an IPv4 IPSec tunnel, and you configure internal IPv6 addressing in Prisma Access so that those users can access private apps behind an IPv6 network. See Private App Access Over IPv6 Examples for examples.
You configure IPv6 in the following Prisma Access network components:
  • Enable IPv6 and specify an IPv6 subnet in your Infrastructure Subnet to establish an IPv6 network infrastructure to enable communication between your remote networks (branch locations), mobile users, and service connections (data center or headquarters locations).
  • For a Mobile Users—GlobalProtect deployment, specify whether or not IPv6 networking should be utilized for the compute locations that are associated with your mobile user locations.
    You can specify IPv6 mobile user IP address pools and IPv6 DNS server addresses as required.
  • For service connections and remote network connections, you can specify IPv6 addressing for the type of routing the connection uses (either static or BGP routes).
    • For static routes, specify an IPv6 address for the subnets used for the static routes.
    • For BGP routes, specify an IPv6 Peer Address and Local Address.
      You can also specify the transport method used to exchange BGP peering information. You can specify to use IPv4 to exchange all BGP peering information (including IPv4 and IPv6), use IPv6 to exchange all BGP peering information, or use IPv4 to exchange IPv4 BGP peering information and IPv6 to exchange IPv6 BGP peering information.
  • For remote networks, you can add IPv6 addresses for DNS servers.
The following deployments do not support IPv6 addressing:
  • Clean Pipe deployments
  • Traffic Steering (using traffic steering rules to redirect internet-bound traffic using a service connection)