In a dual stack endpoint that can process both IPv4 and IPv6 traffic, the GlobalProtect app sends
mobile user IPv4 traffic to be protected through the GlobalProtect VPN tunnel to
Prisma Access. However, mobile user IPv6 traffic isn't sent to Prisma Access by
default and is sent to the local network adapter on the endpoint instead. To reduce
the attack surface for IPv6-based threats, Palo Alto Networks recommends that you
configure Prisma Access to sinkhole IPv6 traffic. Because endpoints can
automatically fall back to an IPv4 address, you can enable a secure and
uninterrupted user experience for mobile user traffic to the internet.
The default IPv6 route has priority over other routes.
However, if more specific IPv6 routes exist through the physical network interface
or if you specify the IPv6 source address of the physical interface, such traffic
will be sent to the local network adapter.
You can configure Prisma Access
so that it sinkholes all mobile user IPv6 traffic. When you enable
this functionality, Prisma Access assigns an IPv6 address to the
connecting endpoint in addition to an IPv4 address; then, it routes
the IPv6 traffic to Prisma Access and discards it using a built-in
security policy, as shown in the following figure.
To configure
Prisma Access so that it sinkholes all mobile user IPv6 traffic,
complete the following steps.
Prisma Access (Managed by Strata Cloud Manager) Deployments:
Go to WorkflowsPrisma Access SetupMobile UsersGlobalProtect SetupAdvanced Settings and select Force IPv6
Sinkhole.
Prisma Access uses fc00:0:0:0:0:0:0:0/64
as the sinkhole address.
Prisma Access (Managed by Panorama) Deployments:
Open a secure CLI session with admin-level privileges, using the same IP
address that you use to log in to the Panorama that manages Prisma Access.
Enter configure to enter configuration mode.
Enter the set plugins cloud_services mobile-users ipv6
yes command.
If you need to disable this command in
the future, enter set plugins cloud_services mobile-users
ipv6 no.
Enter Commit to save your changes locally.
Enter exit to exit configuration mode.
Enter commit-all shared-policy include-template yes
device-group Mobile_User_Device_Group to commit and push
your changes and make them active in Prisma Access.