Enable and Configure IPv6 Networking and IP Pools in Your Prisma
Learn how to enable and configure IPv6 networking and
IP pools in your Prisma Access infrastructure.
For any Prisma Access deployment, you need
to enable IPv6 globally and specify an IPv6 subnet in your Infrastructure
Subnet so that Prisma Access can establish an IPv6 network
infrastructure between your remote network locations, mobile users,
and service connections. To do so, complete the following steps.
and click the
gear icon to edit the Settings.
Enabling or disabling IPv6 results in a brief traffic interruption
(up to 120 seconds) while the dataplane prepares to accept or reject
IPv6 routes on the Prisma Access backbone. Palo Alto Networks recommends
that you commit this configuration change during a maintenance window
or during off-peak hours.
If you need
to delete IPv6, delete all configuration (including for mobile users,
remote network, and service connections as applicable) before deselecting
Palo Alto Networks recommends that you use private (not public)
IPv4 and IPv6 addresses.
Do not use IPv6 link local addresses (fe80::/10).
Infrastructure BGP AS
want to use within the Prisma Access infrastructure.
If you want to use dynamic routing to enable Prisma Access
to dynamically discover routes to resources on your remote networks
and HQ/data center locations, specify the autonomous system (AS)
number. If you do not supply an AS number, the default AS number
65534 will be used.
If you have not yet completed the service setup configuration,
) Add IPv6 IP address
pools for your Mobile Users—GlobalProtect deployment.
A Mobile Users—GlobalProtect deployment requires IP address pools.
Both IPv4 and IPv6 IP address pools are required to enable IPv6 functionality.
You apply IPv4 addresses at a regional or Worldwide
level; you apply IPv6 addresses at a Worldwide level. Specify
a minimum /80 subnet.
Prisma Access subdivides the Worldwide
IPv6 addresses using the following method:
Access assigns each location (gateway) a pool from a /112 subnet.
Because each GlobalProtect connection uses one IP address from the
pool, this allocation allows over 65,000 available IPv6 addresses
to be assigned to users’ endpoints per location.
If you experience
an auto-scale event (if a large number of users log in to a single
Prisma Access location), Prisma Access can add another location
with another /112 subnet.
When you enable a location to use IPv6, Prisma Access assigns
an IPv6 address pool to the region to which the location belongs,
and divides up the pool between the total number of regions that
have IPv6 enabled.
not use local-link addresses (fe80::/10) in an IP address pool.