IPv6 Support for Private App Access

Configure IPv6 in Prisma Access to let mobile users access private apps behind IPv6 addresses.
If your organization uses IPv6 networking, you can configure Prisma Access to allow mobile users to access private apps that use IPv6 addressing. Learn how it works and how to configure it in the following sections:

Private App Access Using IPv6 Addressing

If your organization uses IPv6 addressing for your internal resources, Prisma Access makes it possible for you to access internal (private) apps that are behind IPv6 addresses. You can access these apps either from a data center behind a service connection or from a branch office behind a remote network connection.
You cannot access external SaaS or public apps using IPv6; IPv4 networking is still required to access external apps.
Users access internal apps through GlobalProtect (for external GlobalProtect mobile users) or through a remote network IPSec tunnel (for internal GlobalProtect mobile users in a branch office accessing Prisma Access through a remote network connection). Either internal or external GlobalProtect mobile users can access private apps over IPv6.
  • External GlobalProtect mobile users connect to the Prisma Access network using an IPv4 VPN tunnel, and you configure internal IPv6 addressing in Prisma Access to allow the users to access private apps behind an IPv6 network.
  • Internal GlobalProtect mobile users at a remote network connect to Prisma Access using an IPv4 IPSec tunnel, and you configure internal IPv6 addressing in Prisma Access so that those users can access private apps behind an IPv6 network. See Private App Access Over IPv6 Examples for examples.
You configure IPv6 in the following Prisma Access network components:
  • Enable IPv6 and specify an IPv6 subnet in your Infrastructure Subnet to establish an IPv6 network infrastructure to enable communication between your remote networks (branch locations), mobile users, and service connections (data center or headquarters locations).
  • For a Mobile Users—GlobalProtect deployment, specify whether or not IPv6 networking should be utilized for the compute locations that are associated with your mobile user locations.
    You can specify IPv6 mobile user IP address pools and IPv6 DNS server addresses as required.
  • For service connections and remote network connections, you can specify IPv6 addressing for the type of routing the connection uses (either static or BGP routes).
    • For static routes, specify an IPv6 address for the subnets used for the static routes.
    • For BGP routes, specify an IPv6
      Peer Address
      and
      Local Address
      .
      You can also specify the transport method used to exchange BGP peering information. You can specify to use IPv4 to exchange all BGP peering information (including IPv4 and IPv6), use IPv6 to exchange all BGP peering information, or use IPv4 to exchange IPv4 BGP peering information and IPv6 to exchange IPv6 BGP peering information.
  • For remote networks, you can add IPv6 addresses for DNS servers.
The following deployments do not support IPv6 addressing:
  • Clean Pipe deployments
  • Traffic Steering (using traffic steering rules to redirect internet-bound traffic using a service connection)

Private App Access Over IPv6 Examples

The following figures provide examples of how you can access private apps using Prisma Access.
The following figure shows a mobile user accessing a private app at a branch location. The branch is connected to Prisma Access by a remote network connection. If your network uses IPv6, you can configure the Mobile User IP address pool (for mobile users), Infrastructure Subnet (for service connections), and static or BGP routing (for the remote network connections) to use IPv6 addressing to access the app.
The following figure shows a mobile user accessing a private app that is hosted at a data center connected to Prisma Access by a service connection. You can configure the Mobile User IP address pool (for mobile users) and Infrastructure Subnet (for service connections) to use IPv6 addressing to access the app.
The following figure shows an internal GlobalProtect user at a branch location connected to Prisma Access by a remote network accessing a private app that is hosted at a data center connected to Prisma Access by a service connection. You can configure the Infrastructure Subnet (for service connections) and static or BGP routing (for the service connections and remote network connections) to use IPv6 addressing to access the app.
The following figure shows a user at a branch location connected to Prisma Access by a remote network accessing a private app that is hosted at another branch location connected by a remote network connection. You can configure IPv6 addressing for static or BGP routing for the remote network connections to access the app.
The following figure shows a user at a branch location with IPv6 addressing accessing an external app. In this case, IPv4 routing is required to access the external app, regardless of your Prisma Access IPv6 configuration.
The same IPv4 requirement applies for external GlobalProtect users who access a public app.

Configure IPv6 for Your Prisma Access Deployment

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

For any Prisma Access deployment, you need to enable IPv6 globally and specify an IPv6 subnet in your Infrastructure Subnet so that Prisma Access can establish an IPv6 network infrastructure between your remote network locations, mobile users, and service connections. To do so, complete the following steps.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Service Setup
    and click the gear icon to edit the Settings.
  2. On the
    General
    tab, select
    Enable IPv6
    .
    Enabling or disabling IPv6 results in a brief traffic interruption (up to 120 seconds) while the dataplane prepares to accept or reject IPv6 routes on the Prisma Access backbone. Palo Alto Networks recommends that you commit this configuration change during a maintenance window or during off-peak hours.
    If you need to delete IPv6, delete all configuration (including for mobile users, remote network, and service connections as applicable) before deselecting the
    Enable IPv6
    check box.
  3. Specify an
    IPv6
    infrastructure subnet and an
    Infrastructure BGP AS
    .
    • Specify a minimum subnet of /96.
    • You must also enter an IPv4 subnet; Prisma Access requires IPv4 and IPv6 subnets in its network infrastructure to use IPv6. See Configure the Service Infrastructure for details.
    • Palo Alto Networks recommends that you use private (not public) IPv4 and IPv6 addresses.
    • Do not use IPv6 link local addresses (fe80::/10).
  4. Enter the
    Infrastructure BGP AS
    you want to use within the Prisma Access infrastructure.
    If you want to use dynamic routing to enable Prisma Access to dynamically discover routes to resources on your remote networks and HQ/data center locations, specify the autonomous system (AS) number. If you do not supply an AS number, the default AS number 65534 will be used.
  5. If you have not yet completed the service setup configuration, enter the
    Internal Domain List
    ,
    Cortex Data Lake
    , and
    Advanced
    settings.
  6. (
    Mobile User Deployments Only
    ) Add IPv6 IP address pools for your Mobile Users—GlobalProtect deployment.
    A Mobile Users—GlobalProtect deployment requires IP address pools. Both IPv4 and IPv6 IP address pools are required to enable IPv6 functionality. You apply IPv4 addresses at a regional or Worldwide level; you apply IPv6 addresses at a Worldwide level. Specify a minimum /80 subnet.
    Prisma Access subdivides the Worldwide IPv6 addresses using the following method:
    • Prisma Access assigns each location (gateway) a pool from a /112 subnet. Because each GlobalProtect connection uses one IP address from the pool, this allocation allows over 65,000 available IPv6 addresses to be assigned to users’ endpoints per location.
      If you experience an auto-scale event (if a large number of users log in to a single Prisma Access location), Prisma Access can add another location with another /112 subnet.
    • When you enable a location to use IPv6, Prisma Access assigns an IPv6 address pool to the region to which the location belongs, and divides up the pool between the total number of regions that have IPv6 enabled.
    Do not use local-link addresses (fe80::/10) in an IP address pool.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Mobile Users—GlobalProtect
      .
    2. In the Onboarding section, select the portal
      Hostname
      or select
      Configure
      .
    3. Select the
      IP Pools
      tab.
    4. Enter an
      IP Pool IPv6
      .
      • You must enter both IPv4 and IPv6 IP addresses for mobile users. Prisma Access requires IPv4 and IPv6 addresses to support its internal infrastructure when using IPv6. See Specify IP Address Pools for Mobile Users for more information about IPv4 IP address pools.
      • Enter a minimum IPv6 subnet of /80.
      • Prisma Access subdivides each subnet per region.
  7. Commit and Push
    your changes.
  8. Select
    Panorama
    Cloud Services
    Status
    Network Details
    Service Infrastructure
    and make a note of the following IPv6 addresses:
    • Captive Portal Redirect IP Addresses
      —Used with Authentication Portal-based User-ID address mapping
    • Tunnel Monitor IP Address
      —Used for Tunnel Monitoring
    Because GlobalProtect mobile users require an IPv4 address for the VPN tunnels, Loopback IPs, whose IP addresses are taken from the Infrastructure Subnet, still use IPv4 addresses.

Enable IPv6 Networking for a Mobile Users—GlobalProtect Deployment

In addition to configuring mobile user IP address pools, you must configure
IPv6 Availability
for your Mobile Users—GlobalProtect deployments. If your network uses IPv6 DNS servers to resolve internal domains, you can also specify IPv6 addresses for primary and secondary DNS servers, as shown in the following section.
  1. Plan if you want to deploy IPv6 across your entire Prisma Access deployment, or for only a certain number of compute locations.
  2. Configure IPv6 availability for the regions where you want to deploy IPv6.
    1. In the
      IPv6 Availability
      tab,
      Enable IPv6
      for the locations for which you want to enable IPv6.
      All locations are associated to a compute location. If locations in a compute location do not have IPv6 enabled, leave that compute location deselected.
  3. (
    Optional
    ) If your internal DNS servers use are reachable by IPv6 addresses, click the
    Network Services
    tab,
    Add
    a rule or specify the default rule, and specify
    Custom DNS Server
    IPv6 addresses for the
    Primary DNS
    and
    Secondary DNS
    server.
    If you enter IPv6 addresses for DNS servers, you must also have IPv6 addresses in your mobile user IP address pool.
    You can enter any combination of IPv4 or IPv6 addresses for primary and secondary DNS servers. If you enter an IPv6 address for the primary DNS server and an IPv4 address for the secondary DNS server, and a DNS query is received from a compute region that does not have
    IPv6 Availability
    enabled, Prisma Access uses the secondary DNS server because it uses an IPv4 address.
    IPv4 addresses use A records, while IPv6 addresses use AAAA records. Some DNS servers can perform AAAA DNS lookups over IPv4 transport; therefore, you might not need a server with an IPv6 IP address.
  4. (
    Optional
    ) If you have not yet completed the your mobile users configuration, complete it now. See Secure Mobile Users With GlobalProtect for details.
  5. Commit and Push
    your changes.

Enable IPv6 Networking for Service Connections

For service connections, you can use IPv6 subnets for static or BGP routing. For BGP routing, you can enter IPv6 peer addresses and specify IPv4 and IPv6 routing options.
To configure IPv6 networking for service connections, complete the following task.
  1. Select
    Panorama
    Cloud Services
    Configuration
    Service Connection
    .
  2. Add
    a new service connection or select an existing service connection to edit it.
  3. Set up IPv6 routing for the service connection.
    1. (
      Static Routing Deployments Only
      ) Enter one or more
      Corporate Subnets
      in the
      Static Routes
      tab.
    2. (
      BGP Routing Deployments Only
      ) Specify the method to exchange IPv4 and IPv6 BGP routes; then, enter an IPv6
      Peer Address
      and
      Local Address
      .
      • To use a single IPv4 BGP session to exchange both IPv4 and IPv6 BGP peering information, select
        Exchange both IPv4 and IPv6 routes over IPv4 peering
        .
      • To an IPv4 BGP session to exchange IPv4 BGP peering information and an IPv6 session to exchange IPv6 BGP peering information, select
        Exchange IPv4 routes over IPv4 peering and IPv6 routes over IPv6 peering
        .
      • To use a single IPv6 BGP session to exchange IPv6 BGP peering information, select
        Exchange IPv6 routes over IPv6 peering
        .
    3. If your secondary WAN uses a different peer or local address, deselect
      Same as Primary WAN
      and enter the IPv6
      Peer Address
      and
      Local Address
      for the secondary WAN.
  4. If you have not yet completed the your service connection setup, complete it now. See Create a Service Connection to Allow Access to Your Corporate Resources for details.
  5. Commit and Push
    your changes.
  6. Select
    Panorama
    Cloud Services
    Status
    Network Details
    Service Connection
    and make a note of the IPv6
    User-ID Agent Address
    and
    EBGP Router
    addresses.
    After you commit your changes, you will have an IPv6
    User-ID Agent Address
    (used for User-ID retrieval and distribution) and
    EBGP Router
    addresses for service connections.
    Because the IPSec tunnel used for the service connection uses IPv4 addressing, the
    Service IP Address
    is an IPv4 address.
  7. If you have not yet completed the your mobile users configuration, complete it now. See Create a Service Connection to Allow Access to Your Corporate Resources for details.

Enable IPv6 Networking for Remote Networks

For remote network connections, you can use IPv6 subnets for static routes. For BGP routing, you can enter IPv6 peer addresses and specify that BGP use IPv6 routing only or both IPv4 and IPv6 routing.
To configure IPv6 networking for remote network connections, complete the following task.
  1. (
    Optional
    ) Enter IPv6 addresses to your custom DNS server proxy configuration.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Remote Networks
      and edit the settings by clicking the gear icon in the
      Settings
      area.
    2. In the
      DNS Proxy
      area, enter IPv6
      Custom DNS Server
      addresses for your DNS proxy settings.
      See Onboard and Configure Remote Networks for more information about configuring DNS proxy settings for remote networks.
  2. Select
    Panorama
    Cloud Services
    Configuration
    Remote Networks
    .
  3. Add
    a new remote network connection or select an existing service connection to edit it.
  4. Set up IPv6 routing for your remote network.
    1. (
      Static Routing Deployments Only
      ) Enter one or more
      Corporate Subnets
      in the
      Static Routes
      tab.
    2. (
      BGP Routing Deployments Only
      ) Specify the method to exchange IPv4 and IPv6 BGP routes; then, enter an IPv6
      Peer Address
      and
      Local Address
      .
      • To use a single IPv4 BGP session to exchange both IPv4 and IPv6 BGP peering information, select
        Exchange both IPv4 and IPv6 routes over IPv4 peering
        .
      • To an IPv4 BGP session to exchange IPv4 BGP peering information and an IPv6 session to exchange IPv6 BGP peering information, select
        Exchange IPv4 routes over IPv4 peering and IPv6 routes over IPv6 peering
        .
      • To use a single IPv6 BGP session to exchange IPv6 BGP peering information, select
        Exchange IPv6 routes over IPv6 peering
        .
    3. If your secondary WAN uses a different peer or local address, deselect
      Same as Primary WAN
      and enter the IPv6
      Peer Address
      and
      Local Address
      for the secondary WAN.
  5. (
    Optional
    ) If your internal DNS servers use are reachable by IPv6 addresses, select
    Panorama
    Cloud Services
    Configuration
    Remote Network
    Settings
    , click the gear icon to edit the settings, select the
    DNS Proxy
    tab,
    Add
    a rule or specify the default rule, and specify
    Custom DNS Server
    IPv6 addresses for the
    Primary DNS
    and
    Secondary DNS
    server.
    Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your organization and external domains. If you do not specify any settings, Prisma Access does not proxy DNS requests for remote networks. You also need to select a
    Region
    . See Onboard and Configure Remote Networks for more information.
    You can enter any combination of IPv4 or IPv6 addresses for primary and secondary DNS servers.
    IPv4 addresses use A records, while IPv6 addresses use AAAA records. Some DNS servers can perform AAAA DNS lookups over IPv4 transport; therefore, you might not need a server with an IPv6 IP address.
  6. If you have not yet completed the your remote network connection setup, complete it now. See Onboard and Configure Remote Networks for details.
  7. Commit and Push
    your changes.
  8. Select
    Panorama
    Cloud Services
    Status
    Network Details
    Remote Networks
    and make a note of the
    EBGP Router
    addresses.
    After you commit your changes, you will have an IPv6
    EBGP Router
    addresses for service connections.
    Because the IPSec tunnel used for the remote network connection uses IPv4 addressing, the
    Service IP Address
    stays as an IPv4 address.

Recommended For You