Device Security uses ARP Enhanced Application Logs (EAL) to provide visibility and identification for devices on IPv4 networks. However, IPv6 deployments use Neighbor Discovery Protocol (NDP) instead of ARP, which means a lack of EAL visibility prevents full IPv6 support for Device Security.

PAN-OS® now uses Deep Packet Inspection (DPI) to generate EALs from ICMPv6 NDP packets, providing the same level of functionality for IPv6 environments. With ICMPv6 EALs, Device Security can use this data to support Device-ID in IPv6 deployments. This change ensures that Device Security has the necessary visibility to identify and classify devices communicating over IPv6.

EALs for ICMPv6 NDP are enabled by default and are generated for both Network Solicitation (NS) and Network Advertisement (NA) packets. These logs are transmitted over the acknowledgment (ACK) channel for reliable delivery to prevent loss due to congestion. If you experience log flooding in high-volume IPv6 deployments, you can disable ICMPv6 EAL logging using the following CLI command:

set deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp

To complete the configuration and apply the change, commit the device configuration. To re-enable the feature, use the following command:

delete deviceconfig setting logging enhanced-application-logging disable-global icmpv6-ndp