>
    IPv6 Support for Private App Access
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Administrator’s Guide (Panorama Managed)
    5. Secure Mobile Users with Prisma Access
    6. Quick Configs for Mobile User Deployments
    7. IPv6 Support for Private App Access
    Download PDF

    IPv6 Support for Private App Access

    Table of Contents

    IPv6 Support for Private App Access

    Configure IPv6 in Prisma Access to let mobile users access private apps behind IPv6 addresses.
    If your organization uses IPv6 networking, you can configure Prisma Access to allow mobile users to access private apps that use IPv6 addressing. Learn how it works and how to configure it in the following sections:

    Private App Access Using IPv6 Addressing

    If your organization uses IPv6 addressing for your internal resources, Prisma Access makes it possible for you to access internal (private) apps that are behind IPv6 addresses. You can access these apps either from a data center behind a service connection or from a branch office behind a remote network connection.
    You cannot access external SaaS or public apps using IPv6; IPv4 networking is still required to access external apps.
    Users access internal apps through GlobalProtect (for external GlobalProtect mobile users) or through a remote network IPSec tunnel (for internal GlobalProtect mobile users in a branch office accessing Prisma Access through a remote network connection). Either internal or external GlobalProtect mobile users can access private apps over IPv6.
    • External GlobalProtect mobile users connect to the Prisma Access network using an IPv4 VPN tunnel, and you configure internal IPv6 addressing in Prisma Access to allow the users to access private apps behind an IPv6 network.
    • Internal GlobalProtect mobile users at a remote network connect to Prisma Access using an IPv4 IPSec tunnel, and you configure internal IPv6 addressing in Prisma Access so that those users can access private apps behind an IPv6 network. See Private App Access Over IPv6 Examples for examples.
    You configure IPv6 in the following Prisma Access network components:
    • Enable IPv6 and specify an IPv6 subnet in your Infrastructure Subnet to establish an IPv6 network infrastructure to enable communication between your remote networks (branch locations), mobile users, and service connections (data center or headquarters locations).
    • For a Mobile Users—GlobalProtect deployment, specify whether or not IPv6 networking should be utilized for the compute locations that are associated with your mobile user locations.
      You can specify IPv6 mobile user IP address pools and IPv6 DNS server addresses as required.
    • For service connections and remote network connections, you can specify IPv6 addressing for the type of routing the connection uses (either static or BGP routes).
      • For static routes, specify an IPv6 address for the subnets used for the static routes.
      • For BGP routes, specify an IPv6 Peer Address and Local Address.
        You can also specify the transport method used to exchange BGP peering information. You can specify to use IPv4 to exchange all BGP peering information (including IPv4 and IPv6), use IPv6 to exchange all BGP peering information, or use IPv4 to exchange IPv4 BGP peering information and IPv6 to exchange IPv6 BGP peering information.
    • For remote networks, you can add IPv6 addresses for DNS servers.
    The following deployments do not support IPv6 addressing:
    • Clean Pipe deployments
    • Traffic Steering (using traffic steering rules to redirect internet-bound traffic using a service connection)

    Private App Access Over IPv6 Examples

    The following figures provide examples of how you can access private apps using Prisma Access.
    The following figure shows a mobile user accessing a private app at a branch location. The branch is connected to Prisma Access by a remote network connection. If your network uses IPv6, you can configure the Mobile User IP address pool (for mobile users), Infrastructure Subnet (for service connections), and static or BGP routing (for the remote network connections) to use IPv6 addressing to access the app.
    The following figure shows a mobile user accessing a private app that is hosted at a data center connected to Prisma Access by a service connection. You can configure the Mobile User IP address pool (for mobile users) and Infrastructure Subnet (for service connections) to use IPv6 addressing to access the app.
    The following figure shows an internal GlobalProtect user at a branch location connected to Prisma Access by a remote network accessing a private app that is hosted at a data center connected to Prisma Access by a service connection. You can configure the Infrastructure Subnet (for service connections) and static or BGP routing (for the service connections and remote network connections) to use IPv6 addressing to access the app.
    The following figure shows a user at a branch location connected to Prisma Access by a remote network accessing a private app that is hosted at another branch location connected by a remote network connection. You can configure IPv6 addressing for static or BGP routing for the remote network connections to access the app.
    The following figure shows a user at a branch location with IPv6 addressing accessing an external app. In this case, IPv4 routing is required to access the external app, regardless of your Prisma Access IPv6 configuration.
    The same IPv4 requirement applies for external GlobalProtect users who access a public app.

    Configure IPv6 for Your Prisma Access Deployment

    To configure IPv6 for your Prisma Access deployment, use the following sub-tasks:

    Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

    For any Prisma Access deployment, you need to enable IPv6 globally and specify an IPv6 subnet in your Infrastructure Subnet so that Prisma Access can establish an IPv6 network infrastructure between your remote network locations, mobile users, and service connections. To do so, complete the following steps.
    1. Select PanoramaCloud ServicesConfigurationService Setup and click the gear icon to edit the Settings.
    2. On the General tab, select Enable IPv6.
      Enabling or disabling IPv6 results in a brief traffic interruption (up to 120 seconds) while the dataplane prepares to accept or reject IPv6 routes on the Prisma Access backbone. Palo Alto Networks recommends that you commit this configuration change during a maintenance window or during off-peak hours.
      If you need to delete IPv6, delete all configuration (including for mobile users, remote network, and service connections as applicable) before deselecting the Enable IPv6 check box.
    3. Specify an IPv6 infrastructure subnet and an Infrastructure BGP AS.
      • Specify a minimum subnet of /96.
      • You must also enter an IPv4 subnet; Prisma Access requires IPv4 and IPv6 subnets in its network infrastructure to use IPv6. See Configure the Service Infrastructure for details.
      • Palo Alto Networks recommends that you use private (not public) IPv4 and IPv6 addresses.
      • Do not use IPv6 link local addresses (fe80::/10).
    4. Enter the Infrastructure BGP AS you want to use within the Prisma Access infrastructure.
      If you want to use dynamic routing to enable Prisma Access to dynamically discover routes to resources on your remote networks and HQ/data center locations, specify the autonomous system (AS) number. If you do not supply an AS number, the default AS number 65534 will be used.
    5. If you have not yet completed the service setup configuration, enter the Internal Domain List, Strata Logging Service, and Advanced settings.
      See Configure the Service Infrastructure for details.
    6. (Mobile User Deployments Only) Add IPv6 IP address pools for your Mobile Users—GlobalProtect deployment.
      A Mobile Users—GlobalProtect deployment requires IP address pools. Both IPv4 and IPv6 IP address pools are required to enable IPv6 functionality. You apply IPv4 addresses at a regional or Worldwide level; you apply IPv6 addresses at a Worldwide level. Specify a minimum /80 subnet.
      Prisma Access subdivides the Worldwide IPv6 addresses using the following method:
      • Prisma Access assigns each location (gateway) a pool from a /112 subnet. Because each GlobalProtect connection uses one IP address from the pool, this allocation allows over 65,000 available IPv6 addresses to be assigned to users’ endpoints per location.
        If you experience an auto-scale event (if a large number of users log in to a single Prisma Access location), Prisma Access can add another location with another /112 subnet.
      • When you enable a location to use IPv6, Prisma Access assigns an IPv6 address pool to the region to which the location belongs, and divides up the pool between the total number of regions that have IPv6 enabled.
      Do not use local-link addresses (fe80::/10) in an IP address pool.
      1. Select PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect.
      2. In the Onboarding section, select the portal Hostname or select Configure.
      3. Select the IP Pools tab.
      4. Enter an IP Pool IPv6.
        • You must enter both IPv4 and IPv6 IP addresses for mobile users. Prisma Access requires IPv4 and IPv6 addresses to support its internal infrastructure when using IPv6. See Specify IP Address Pools for Mobile Users for more information about IPv4 IP address pools.
        • Enter a minimum IPv6 subnet of /80.
        • Prisma Access subdivides each subnet per region.
    7. Commit and Push your changes.
    8. Select PanoramaCloud ServicesStatusNetwork DetailsService Infrastructure and make a note of the following IPv6 addresses:
      • Captive Portal Redirect IP Addresses—Used with Authentication Portal-based User-ID address mapping
      • Tunnel Monitor IP Address—Used for Tunnel Monitoring
      Because GlobalProtect mobile users require an IPv4 address for the VPN tunnels, Loopback IPs, whose IP addresses are taken from the Infrastructure Subnet, still use IPv4 addresses.

    Enable IPv6 Networking for a Mobile Users—GlobalProtect Deployment

    In addition to configuring mobile user IP address pools, you must configure IPv6 Availability for your Mobile Users—GlobalProtect deployments. If your network uses IPv6 DNS servers to resolve internal domains, you can also specify IPv6 addresses for primary and secondary DNS servers, as shown in the following section.
    1. Plan if you want to deploy IPv6 across your entire Prisma Access deployment, or for only a certain number of compute locations.
    2. Configure IPv6 availability for the regions where you want to deploy IPv6.
      1. In the IPv6 Availability tab, Enable IPv6 for the locations for which you want to enable IPv6.
        All locations are associated to a compute location. If locations in a compute location do not have IPv6 enabled, leave that compute location deselected.
    3. (Optional) If your internal DNS servers use are reachable by IPv6 addresses, click the Network Services tab, Add a rule or specify the default rule, and specify Custom DNS Server IPv6 addresses for the Primary DNS and Secondary DNS server.
      If you enter IPv6 addresses for DNS servers, you must also have IPv6 addresses in your mobile user IP address pool.
      You can enter any combination of IPv4 or IPv6 addresses for primary and secondary DNS servers. If you enter an IPv6 address for the primary DNS server and an IPv4 address for the secondary DNS server, and a DNS query is received from a compute region that does not have IPv6 Availability enabled, Prisma Access uses the secondary DNS server because it uses an IPv4 address.
      IPv4 addresses use A records, while IPv6 addresses use AAAA records. Some DNS servers can perform AAAA DNS lookups over IPv4 transport; therefore, you might not need a server with an IPv6 IP address.
    4. (Optional) If you have not yet completed the your mobile users configuration, complete it now. See Secure Mobile Users With GlobalProtect for details.
    5. Commit and Push your changes.

    Enable IPv6 Networking for Service Connections

    For service connections, you can use IPv6 subnets for static or BGP routing. For BGP routing, you can enter IPv6 peer addresses and specify IPv4 and IPv6 routing options.
    To configure IPv6 networking for service connections, complete the following task.
    1. Select PanoramaCloud ServicesConfigurationService Connection.
    2. Add a new service connection or select an existing service connection to edit it.
    3. Set up IPv6 routing for the service connection.
      1. (Static Routing Deployments Only) Enter one or more Corporate Subnets in the Static Routes tab.
      2. (BGP Routing Deployments Only) Specify the method to exchange IPv4 and IPv6 BGP routes; then, enter an IPv6 Peer Address and Local Address.
        • To use a single IPv4 BGP session to exchange both IPv4 and IPv6 BGP peering information, select Exchange both IPv4 and IPv6 routes over IPv4 peering.
        • To an IPv4 BGP session to exchange IPv4 BGP peering information and an IPv6 session to exchange IPv6 BGP peering information, select Exchange IPv4 routes over IPv4 peering and IPv6 routes over IPv6 peering.
        • To use a single IPv6 BGP session to exchange IPv6 BGP peering information, select Exchange IPv6 routes over IPv6 peering.
      3. If your secondary WAN uses a different peer or local address, deselect Same as Primary WAN and enter the IPv6 Peer Address and Local Address for the secondary WAN.
    4. If you have not yet completed the your service connection setup, complete it now. See Create a Service Connection to Allow Access to Your Corporate Resources for details.
    5. Commit and Push your changes.
    6. Select PanoramaCloud ServicesStatusNetwork DetailsService Connection and make a note of the IPv6 User-ID Agent Address and EBGP Router addresses.
      After you commit your changes, you will have an IPv6 User-ID Agent Address (used for User-ID retrieval and distribution) and EBGP Router addresses for service connections.
      Because the IPSec tunnel used for the service connection uses IPv4 addressing, the Service IP Address is an IPv4 address.
    7. If you have not yet completed the your mobile users configuration, complete it now. See Create a Service Connection to Allow Access to Your Corporate Resources for details.

    Enable IPv6 Networking for Remote Networks

    For remote network connections, you can use IPv6 subnets for static routes. For BGP routing, you can enter IPv6 peer addresses and specify that BGP use IPv6 routing only or both IPv4 and IPv6 routing.
    To configure IPv6 networking for remote network connections, complete the following task.
    1. (Optional) Enter IPv6 addresses to your custom DNS server proxy configuration.
      1. Select PanoramaCloud ServicesConfigurationRemote Networks and edit the settings by clicking the gear icon in the Settings area.
      2. In the DNS Proxy area, enter IPv6 Custom DNS Server addresses for your DNS proxy settings.
        See Onboard and Configure Remote Networks for more information about configuring DNS proxy settings for remote networks.
    2. Select PanoramaCloud ServicesConfigurationRemote Networks.
    3. Add a new remote network connection or select an existing service connection to edit it.
    4. Set up IPv6 routing for your remote network.
      1. (Static Routing Deployments Only) Enter one or more Corporate Subnets in the Static Routes tab.
      2. (BGP Routing Deployments Only) Specify the method to exchange IPv4 and IPv6 BGP routes; then, enter an IPv6 Peer Address and Local Address.
        • To use a single IPv4 BGP session to exchange both IPv4 and IPv6 BGP peering information, select Exchange both IPv4 and IPv6 routes over IPv4 peering.
        • To an IPv4 BGP session to exchange IPv4 BGP peering information and an IPv6 session to exchange IPv6 BGP peering information, select Exchange IPv4 routes over IPv4 peering and IPv6 routes over IPv6 peering.
        • To use a single IPv6 BGP session to exchange IPv6 BGP peering information, select Exchange IPv6 routes over IPv6 peering.
      3. If your secondary WAN uses a different peer or local address, deselect Same as Primary WAN and enter the IPv6 Peer Address and Local Address for the secondary WAN.
    5. (Optional) If your internal DNS servers use are reachable by IPv6 addresses, select PanoramaCloud ServicesConfigurationRemote NetworkSettings, click the gear icon to edit the settings, select the DNS Proxy tab, Add a rule or specify the default rule, and specify Custom DNS Server IPv6 addresses for the Primary DNS and Secondary DNS server.
      Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. If you do not specify any settings, Prisma Access does not proxy DNS requests for remote networks. You also need to select a Region. See Onboard and Configure Remote Networks for more information.
      You can enter any combination of IPv4 or IPv6 addresses for primary and secondary DNS servers.
      IPv4 addresses use A records, while IPv6 addresses use AAAA records. Some DNS servers can perform AAAA DNS lookups over IPv4 transport; therefore, you might not need a server with an IPv6 IP address.
    6. If you have not yet completed the your remote network connection setup, complete it now. See Onboard and Configure Remote Networks for details.
    7. Commit and Push your changes.
    8. Select PanoramaCloud ServicesStatusNetwork DetailsRemote Networks and make a note of the EBGP Router addresses.
      After you commit your changes, you will have an IPv6 EBGP Router addresses for service connections.
      Because the IPSec tunnel used for the remote network connection uses IPv4 addressing, the Service IP Address stays as an IPv4 address.

    © 2024 Palo Alto Networks, Inc. All rights reserved.