1. Home
    2. Prisma
    3. Prisma Access
    4. Prisma Access Administrator’s Guide (Panorama Managed)
    5. Secure Mobile Users with Prisma Access
    6. Quick Configs for Mobile User Deployments
    7. Sinkhole IPv6 Traffic From Mobile Users

    Sinkhole IPv6 Traffic From Mobile Users

    Use policies and other security procedures to sinkhole Prisma Access IPv6 traffic from mobile users.
    In a dual stack endpoint that can process both IPv4 and IPv6 traffic, the GlobalProtect app sends mobile user IPv4 traffic to be protected through the GlobalProtect VPN tunnel to Prisma Access. However, mobile user IPv6 traffic is not sent to Prisma Access by default and is sent to the local network adapter on the endpoint instead. To reduce the attack surface for IPv6-based threats, Palo Alto Networks recommends that you configure Prisma Access to sinkhole IPv6 traffic. Because endpoints can automatically fall back to an IPv4 address, you can enable a secure and uninterrupted user experience for mobile user traffic to the internet.
    In addition, Palo Alto Networks recommends that you configure GlobalProtect to completely disable network traffic on the local network adapter. If you have a hybrid Prisma Access deployment with on-premise next-generation firewalls configured as GlobalProtect gateways, you can configure IPv6 sinkhole functionality on the on-premise GlobalProtect gateway.

    Configure Prisma Access to Sinkhole IPv6 Traffic

    You can configure Prisma Access so that it sinkholes all mobile user IPv6 traffic. When you enable this functionality, Prisma Access assigns an IPv6 address to the connecting endpoint in addition to an IPv4 address; then, it routes the IPv6 traffic to Prisma Access and discards it using a built-in security policy, as shown in the following figure.
    ipv6-sinkhole-traffic-diagram.png
    To configure Prisma Access so that it sinkholes all mobile user IPv6 traffic, complete the following steps.
    1. Open a secure CLI session with admin-level privileges, using the same IP address that you use to log in to the Panorama that manages Prisma Access.
    2. Enter
      configure
       to enter configuration mode.
    3. Enter the
      set plugins cloud_services mobile-users ipv6 yes
       command.
      If you need to disable this command in the future, enter
      set plugins cloud_services mobile-users ipv6 no
      .
    4. Enter
      Commit
       to save your changes locally.
    5. Enter
      exit
       to exit configuration mode.
    6. Enter
      commit-all shared-policy include-template yes device-group Mobile_User_Device_Group
       to commit and push your changes and make them active in Prisma Access.

    Configure GlobalProtect to Disable Direct Access to the Local Network

    To make sure that all mobile user traffic is sent to Prisma Access, you can completely disable outgoing connections, including local subnet traffic, from being sent to the local adapter. You can deactivate all outgoing connections to the local adapter by making configuration changes to the GlobalProtect gateway.
    You can perform these steps on Panorama or on an on-premise firewall that has been configured as a GlobalProtect gateway.
    Disabling local network access causes all traffic, including IPv4 and IPv6 traffic, from being sent to the local adapter. In addition, you won't be able to access resources on your local subnet, such as printers.
    1. Select
      Network
      GlobalProtect
      Gateways
      .
    2. Select an existing GlobalProtect gateway or
      Add
       a new one.
    3. Select
      Agent
      Client Settings
      .
    4. Select the
      DEFAULT
       configuration or
      Add
       a new one.
    5. Select
      Split Tunnel
      ; then, select
      No direct access to local network
      .
      ipv6-sinkhole-no-direct-access-to-local-network.png
    6. (
      Panorama and Prisma Access deployments only
      ) Commit your changes locally to make them active in Panorama.
      1. Select
        Commit
        Commit to Panorama
        .
      2. Make sure that your change is part of the
        Commit Scope
        .
      3. Click
        OK
         to save your changes to the push scope.
      4. Commit
         your changes.
    7. Commit
       and
      Push
       your changes to make them active in Prisma Access.

    Set Up an IPv6 Sinkhole On the On-Premise Gateway

    If you have a hybrid deployment that uses next-generation firewalls configured as gateways with Prisma Access, perform the following task on the on-premise gateway to drop the IPv6 traffic.
    1. Add IPv6 IP pools to your GlobalProtect agent configuration.
      1. Select
        Network
        GlobalProtect
        Gateways
        .
      2. Select an existing GlobalProtect gateway or
        Add
         a new one.
      3. Select
        Agent
        Client Settings
        .
      4. Select the agent configuration to modify or
        Add
         a new one.
      5. Select
        IP Pools
        ; then,
        Add
         an IPv6 pool to assign to the virtual network adapter on the endpoints that connect to the GlobalProtect gateway uses for mobile network traffic and click
        OK
        .
        ipv6-sinkhole-ngfw-assign-ip-pools.png
    2. Enable IPv6 on the interface.
      1. Select
        Device
        Interface
        Tunnel
         and select the tunnel
        Interface
         that you use for the mobile user’s traffic.
      2. Select
        IPv6
        ; then, select
        Enable IPv6 on the interface
        .
        ipv6-sinkhole-assign-ipv6-to-interface.png
    3. Add a security policy to set a TCP reset action that will terminate sessions with IPv6 source traffic that matches the IP pools you configured in Step 1.
      1. Select
        Policies
        Security
         and
        Add
         a new security policy.
      2. Set the
        Source Address
         in the rule to match the IP pools you configured in Step 1.
        ipv6-sinkhole-security-policy-ip-address.png
      3. Select
        Actions
        ; then, select an
        Action Setting
         of
        Reset Client
         and click
        OK
        .
        ipv6-sinkhole-security-policy-reset-client.png
    4. Commit
       your changes.
    5. (
      Optional
      ) Perform this task on all the gateway firewalls in your deployment.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2020 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo