Prisma Access Administration
  • Prisma Access Administration
  • Prisma Access Documentation
  • All Documentation
>
Sinkhole IPv6 Traffic in Mobile Users—GlobalProtect Deployments
Focus
Download PDF
Focus
  1. Home
  2. Prisma Access
  3. Prisma Access Administration
  4. Prisma Access Advanced Deployments
  5. Prisma Access Mobile Users—GlobalProtect Advanced Deployments
  6. Sinkhole IPv6 Traffic in Mobile Users—GlobalProtect Deployments
Download PDF
Prisma Access

Sinkhole IPv6 Traffic in Mobile Users—GlobalProtect Deployments

Table of Contents

Sinkhole IPv6 Traffic in Mobile Users—GlobalProtect Deployments

Use policy rules and other security procedures to sinkhole Prisma Access IPv6 traffic from in a Prisma Access GlobalProtect deployment.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
In a dual stack endpoint that can process both IPv4 and IPv6 traffic, the GlobalProtect app sends mobile user IPv4 traffic to be protected through the GlobalProtect VPN tunnel to Prisma Access. However, mobile user IPv6 traffic isn't sent to Prisma Access by default and is sent to the local network adapter on the endpoint instead. To reduce the attack surface for IPv6-based threats, Palo Alto Networks recommends that you configure Prisma Access to sinkhole IPv6 traffic. Because endpoints can automatically fall back to an IPv4 address, you can enable a secure and uninterrupted user experience for mobile user traffic to the internet.
The default IPv6 route has priority over other routes. However, if more specific IPv6 routes exist through the physical network interface or if you specify the IPv6 source address of the physical interface, such traffic will be sent to the local network adapter.
In addition, Palo Alto Networks recommends that you configure GlobalProtect to completely disable network traffic on the local network adapter. If you have a hybrid Prisma Access deployment with on-premises next-generation firewalls configured as GlobalProtect gateways, you can configure IPv6 sinkhole functionality on the on-premises GlobalProtect gateway.
You can configure Prisma Access so that it sinkholes all mobile user IPv6 traffic. When you enable this functionality, Prisma Access assigns an IPv6 address to the connecting endpoint in addition to an IPv4 address; then, it routes the IPv6 traffic to Prisma Access and discards it using a built-in security policy, as shown in the following figure.
To configure Prisma Access so that it sinkholes all mobile user IPv6 traffic, complete the following steps.
  • Prisma Access (Managed by Strata Cloud Manager) Deployments:
    Go to WorkflowsPrisma Access SetupMobile UsersGlobalProtect SetupAdvanced Settings and select Force IPv6 Sinkhole.
    Prisma Access uses fc00:0:0:0:0:0:0:0/64 as the sinkhole address.
  • Prisma Access (Managed by Panorama) Deployments:
    1. Open a secure CLI session with admin-level privileges, using the same IP address that you use to log in to the Panorama that manages Prisma Access.
    2. Enter configure to enter configuration mode.
    3. Enter the set plugins cloud_services mobile-users ipv6 yes command.
      If you need to disable this command in the future, enter set plugins cloud_services mobile-users ipv6 no.
    4. Enter Commit to save your changes locally.
    5. Enter exit to exit configuration mode.
    6. Enter commit-all shared-policy include-template yes device-group Mobile_User_Device_Group to commit and push your changes and make them active in Prisma Access.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.

xThanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.