Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

1. Select PanoramaCloud ServicesConfigurationService Setup and click the gear icon to edit the Settings.
2. On the General tab, select Enable IPv6.
   Enabling or disabling IPv6 results in a brief traffic interruption (up to 120 seconds) while the dataplane prepares to accept or reject IPv6 routes on the Prisma Access backbone. Palo Alto Networks recommends that you commit this configuration change during a maintenance window or during off-peak hours.

   If you need to delete IPv6, delete all configuration (including for mobile users, remote network, and service connections as applicable) before deselecting the Enable IPv6 check box.

3. Specify an IPv6 infrastructure subnet and an Infrastructure BGP AS.
   • Specify a minimum subnet of /96.
   • You must also enter an IPv4 subnet; Prisma Access requires IPv4 and IPv6 subnets in its network infrastructure to use IPv6. See Configure the Service Infrastructure for details.
   • Palo Alto Networks recommends that you use private (not public) IPv4 and IPv6 addresses.
   • Do not use IPv6 link local addresses (fe80::/10).

4. Enter the Infrastructure BGP AS you want to use within the Prisma Access infrastructure.
   If you want to use dynamic routing to enable Prisma Access to dynamically discover routes to resources on your remote networks and HQ/data center locations, specify the autonomous system (AS) number. If you do not supply an AS number, the default AS number 65534 will be used.
5. If you have not yet completed the service setup configuration, enter the Internal Domain List, Strata Logging Service, and Advanced settings.
   See Configure the Service Infrastructure for details.
6. (Mobile User Deployments Only) Add IPv6 IP address pools for your Mobile Users—GlobalProtect deployment.
   A Mobile Users—GlobalProtect deployment requires IP address pools. Both IPv4 and IPv6 IP address pools are required to enable IPv6 functionality. You apply IPv4 addresses at a regional or Worldwide level; you apply IPv6 addresses at a Worldwide level. Specify a minimum /80 subnet.

   Prisma Access subdivides the Worldwide IPv6 addresses using the following method:

   • Prisma Access assigns each location (gateway) a pool from a /112 subnet. Because each GlobalProtect connection uses one IP address from the pool, this allocation allows over 65,000 available IPv6 addresses to be assigned to users’ endpoints per location.
     If you experience an auto-scale event (if a large number of users log in to a single Prisma Access location), Prisma Access can add another location with another /112 subnet.
   • When you enable a location to use IPv6, Prisma Access assigns an IPv6 address pool to the region to which the location belongs, and divides up the pool between the total number of regions that have IPv6 enabled.

   Do not use local-link addresses (fe80::/10) in an IP address pool.
   1. Select PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect.
   2. In the Onboarding section, select the portal Hostname or select Configure.
   3. Select the IP Pools tab.
   4. Enter an IP Pool IPv6.
      • You must enter both IPv4 and IPv6 IP addresses for mobile users. Prisma Access requires IPv4 and IPv6 addresses to support its internal infrastructure when using IPv6. See IP Address Pools in a Mobile Users—GlobalProtect Deployment for more information about IPv4 IP address pools.
      • Enter a minimum IPv6 subnet of /80.
      • Prisma Access subdivides each subnet per region.

7. Commit and Push your changes.
8. Select PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure and make a note of the following IPv6 addresses:
   • Captive Portal Redirect IP Addresses—Used with Authentication Portal-based User-ID address mapping
   • Tunnel Monitor IP Address—Used for Tunnel Monitoring

   Because GlobalProtect mobile users require an IPv4 address for the VPN tunnels, loopback addresses, whose IP addresses are taken from the Infrastructure Subnet, still use IPv4 addresses.