Sinkhole IPv6 Traffic From Mobile Users
Use policies and other security procedures to sinkhole
Prisma Access IPv6 traffic from mobile users.
In a dual stack endpoint that can process
both IPv4 and IPv6 traffic, the GlobalProtect app sends mobile user
IPv4 traffic to be protected through the GlobalProtect VPN tunnel
to Prisma Access. However, mobile user IPv6 traffic is not sent
to Prisma Access by default and is sent to the local network adapter on
the endpoint instead. To reduce the attack surface for IPv6-based
threats, Palo Alto Networks recommends that you configure Prisma
Access to sinkhole IPv6 traffic. Because endpoints can automatically
fall back to an IPv4 address, you can enable a secure and uninterrupted
user experience for mobile user traffic to the internet.
In
addition, Palo Alto Networks recommends that you configure GlobalProtect to
completely disable network traffic
on the local network adapter. If you have a hybrid Prisma
Access deployment with on-premise next-generation firewalls configured
as GlobalProtect gateways, you can configure IPv6 sinkhole functionality on the on-premise GlobalProtect
gateway.
Configure Prisma Access to Sinkhole IPv6 Traffic
You can configure Prisma Access so that it
sinkholes all mobile user IPv6 traffic. When you enable this functionality,
Prisma Access assigns an IPv6 address to the connecting endpoint
in addition to an IPv4 address; then, it routes the IPv6 traffic
to Prisma Access and discards it using a built-in security policy,
as shown in the following figure.

To
configure Prisma Access so that it sinkholes all mobile user IPv6
traffic, complete the following steps.
- Open a secure CLI session with admin-level privileges, using the same IP address that you use to log in to the Panorama that manages Prisma Access.
- Enterconfigureto enter configuration mode.
- Enter theset plugins cloud_services mobile-users ipv6 yescommand.If you need to disable this command in the future, enterset plugins cloud_services mobile-users ipv6 no.
- EnterCommitto save your changes locally.
- Enterexitto exit configuration mode.
- Entercommit-all shared-policy include-template yes device-group Mobile_User_Device_Groupto commit and push your changes and make them active in Prisma Access.
Configure GlobalProtect to Disable Direct Access to the Local
Network
To make sure that all mobile user traffic
is sent to Prisma Access, you can completely disable outgoing connections,
including local subnet traffic, from being sent to the local adapter.
You can deactivate all outgoing connections to the local adapter
by making configuration changes
to the GlobalProtect gateway.
You can perform these
steps on Panorama or on an on-premise firewall that has been configured
as a GlobalProtect gateway.
Disabling local network
access causes all traffic, including IPv4 and IPv6 traffic, from
being sent to the local adapter. In addition, you won't be able to
access resources on your local subnet, such as printers.
- Select.NetworkGlobalProtectGateways
- Select an existing GlobalProtect gateway orAdda new one.
- Select.AgentClient Settings
- Select theDEFAULTconfiguration orAdda new one.
- SelectSplit Tunnel; then, selectNo direct access to local network.
- (Panorama and Prisma Access deployments only) Commit your changes locally to make them active in Panorama.
- Select.CommitCommit to Panorama
- Make sure that your change is part of theCommit Scope.
- ClickOKto save your changes to the push scope.
- Commityour changes.
- CommitandPushyour changes to make them active in Prisma Access.
Set Up an IPv6 Sinkhole On the On-Premise Gateway
If you have a hybrid deployment that uses
next-generation firewalls configured as gateways with Prisma Access,
perform the following task on the on-premise gateway to drop the
IPv6 traffic.
- Add IPv6 IP pools to your GlobalProtect agent configuration.
- Select.NetworkGlobalProtectGateways
- Select an existing GlobalProtect gateway orAdda new one.
- Select.AgentClient Settings
- Select the agent configuration to modify orAdda new one.
- SelectIP Pools; then,Addan IPv6 pool to assign to the virtual network adapter on the endpoints that connect to the GlobalProtect gateway uses for mobile network traffic and clickOK.
- Enable IPv6 on the interface.
- Selectand select the tunnelDeviceInterfaceTunnelInterfacethat you use for the mobile user’s traffic.
- SelectIPv6; then, selectEnable IPv6 on the interface.
- Add a security policy to set a TCP reset action that will terminate sessions with IPv6 source traffic that matches the IP pools you configured in Step 1.
- SelectandPoliciesSecurityAdda new security policy.
- Set theSource Addressin the rule to match the IP pools you configured in Step 1.
- SelectActions; then, select anAction SettingofReset Clientand clickOK.
- Commityour changes.
- (Optional) Perform this task on all the gateway firewalls in your deployment.
Recommended For You
Recommended Videos
Recommended videos not found.