Prisma Access
IPv6 Support
Table of Contents
IPv6 Support for Private App Access
for Private App Access
Configure IPv6 in
Prisma Access
.Where Can I Use
This? | What Do I Need? |
|---|---|
|
|
If your organization uses IPv6 addressing,
Prisma Access
makes it possible for you to access
internal (private) apps that are behind IPv6 addresses. Depending on your Prisma Access
version, you can access either private (internal) apps using IPv6, or
both internal and public (external) apps for both GlobalProtect and Remote Networks. For access to external apps, some Prisma Access components do not have IPv6
functionality enabled by default. Before you enable native IPv6 for public app
access, reach out to your Palo Alto Networks account team and open a TAC ticket for
begin the enablement process
One benefit of native IPv6 support is the ability for Mobile Users
at IPv6 only and dual-stack endpoints to connect to
Prisma Access
over IPv6
connections using GlobalProtect. Another benefit is the ability for GlobalProtect and
Remote Networks to access the internet and public SaaS applications over the internet
where those internet destinations require IPv6 connections.IPv6 offers a significantly larger address space over IPv4,
allowing for an almost unlimited number of unique IP addresses. At the same time, dual
stack is a transitional approach that allows networks and devices to operate using both
IPv4 and IPv6 simultaneously. Native IPv6 support makes
Prisma Access
compatible
with both IPv6 and dual-stack connections to ease the migration process from IPv4 to
IPv6, ensure backward compatibility, and empower your journey to the cloud and
IPv6-enabled networks.Users access internal apps through GlobalProtect (for external
GlobalProtect mobile users) or through a remote network IPSec tunnel (for internal
GlobalProtect mobile users in a branch office accessing
Prisma Access
through a remote
network connection). Either internal or external GlobalProtect mobile users can access
private apps over IPv6.- External GlobalProtect mobile users connect to thePrisma Accessnetwork using an IPv4 VPN tunnel, and you configure internal IPv6 addressing inPrisma Accessto allow the users to access private apps behind an IPv6 network.
- Internal GlobalProtect mobile users at a remote network connect toPrisma Accessusing an IPv4 IPSec tunnel, and you configure internal IPv6 addressing in Prisma Access so that those users can access private apps behind an IPv6 network. See Private App Access Over IPv6 Examples for examples.
You
configure IPv6 in the following
Prisma Access
network components:- Enable IPv6 and specify an IPv6 subnet in your Infrastructure Subnet to establish an IPv6 network infrastructure to enable communication between your remote networks (branch locations), mobile users, and service connections (data center or headquarters locations).For best results, provide your own IPv6 (public or private) address pool with a prefix length of /64, such as 3005:10:209:55::/64.
- For a Mobile Users—GlobalProtect deployment, specify whether or not IPv6 networking should be utilized for the compute locations that are associated with your mobile user locations.You can specify IPv6 mobile user IP address pools and IPv6 DNS server addresses as required.For best results, provide your own IPv6 (public or private) address pool with a prefix length of /64, such as 3001:192:168:32::/64, applied ad a Worldwide level.Prisma Accessassigns each compute region a pool from a /80 subnet and each location (gateway) a pool from a /112 subnet. Because each GlobalProtect connection uses one IP address from the pool, this allocation allows over 65,000 available IPv6 addresses (/128) to be assigned to users’ endpoints per location.
- For service connections and remote network connections, you can specify IPv6 addressing for the type of routing the connection uses (either static or BGP routes).
- For static routes, specify an IPv6 address for the subnets used for the static routes.
- For BGP routes, specify an IPv6Peer AddressandLocal Address.You can also specify the transport method used to exchange BGP peering information. You can specify to use IPv4 to exchange all BGP peering information (including IPv4 and IPv6), use IPv6 to exchange all BGP peering information, or use IPv4 to exchange IPv4 BGP peering information and IPv6 to exchange IPv6 BGP peering information.
For best results, provide your own IPv6 (public or private) address pool with a maximum prefix length of /64, such as 2005:10:209:79::/64. - For remote networks, you can add IPv6 addresses for DNS servers.For best results, provide your own IPv6 (public or private) address pool with a maximum prefix length of /64, such as 2001:10:209:65::/64.Each branch office should use a unique /112 (maximum length) subnet, allowing for over 65,000 unique hosts.
- IPv6 addresses you provide shouldn't overlap withPrisma AccessBYOIP public IPv6 address space.
- Your IP pool, branch office (remote network) subnets, corporate (service connection) subnets, and infrastructure subnet shouldn't overlap with each other (should be mutually exclusive).
The following deployments do not support IPv6 addressing:
- Clean Pipe deployments
- Traffic Steering (using traffic steering rules to redirect internet-bound traffic using a service connection)
Private App Access Over IPv6 Examples
The following figures provide examples of how you can access private apps using
Prisma Access
. The following figure shows a mobile user accessing a private app at a branch
location. The branch is connected to
Prisma Access
by a remote network connection.
If your network uses IPv6, you can configure the Mobile User IP address pool (for
mobile users), Infrastructure Subnet (for service connections), and static or BGP
routing (for the remote network connections) to use IPv6 addressing to access the
app. 
The following figure shows a mobile user accessing a private app that is hosted at a
data center connected to
Prisma Access
by a service connection. You can configure
the Mobile User IP address pool (for mobile users) and Infrastructure Subnet (for
service connections) to use IPv6 addressing to access the app. 
The following figure shows an internal GlobalProtect user at a branch location
connected to
Prisma Access
by a remote network accessing a private app that is
hosted at a data center connected to Prisma Access
by a service connection. You can
configure the Infrastructure Subnet (for service connections) and static or BGP
routing (for the service connections and remote network connections) to use IPv6
addressing to access the app.
The following figure shows a user at a branch location connected to
Prisma Access
by
a remote network accessing a private app that is hosted at another branch location
connected by a remote network connection. You can configure IPv6 addressing for
static or BGP routing for the remote network connections to access the app. 
The following figure shows a user at a branch location with IPv6 addressing accessing
an external app. In this case, IPv4 routing is required to access the external app,
regardless of your
Prisma Access
IPv6 configuration.
The same IPv4 requirement applies for external GlobalProtect users who access a
public app.
