Support for IPv6, offered in this version, allows firewalls to be integrated into IPv4 and/or IPv6 infrastructures. Network (interfaces and routing), filter, VPN and administration features are compatible with IPv6. This support is optional and can be enabled in the Configuration module.
The web administration interface will then be accessible regardless of whether it is in IPv6 or IPv4 as the firewall’s network interfaces may have a single static IPv6 address or as a complement to an IPv4 address (double stack). Static routes and gateways can now be defined in IPv6; furthermore, the dynamic routing feature on NEXUS Firewalls (Bird6) is also compatible.
The SLAAC mechanism (StateLess Address AutoConfiguration) has been implemented on Stormshield Network firewalls in order to generate Router Advertisements (RA), which allow automatically configuring network hosts by distributing the IPv6 prefixes to be used. These advertisements also allow transmitting DNS parameters (RDNSS support – RFC 6106) and defining the firewall as the default gateway. The firewall’s DCHPv6 server or relay service can be used to complete this mechanism, in order to use IPv6 address reservation, for example.
Network objects (hosts, networks and IP address ranges) may have addresses in IPv6, or a hybrid address range. Filter policies can therefore be applied to IPv6 objects and can use the security inspection feature (customizable inspection profiles). However, application inspection features (Antivirus, Antispam and URL, SMTP, FTP and SSL filtering) are not available in this version. Likewise, address translation (NAT) cannot be performed on IPv6 objects.
For each interface defined in IPv6 and belonging to a bridge, the routing without analyzing option in the IPv6 protocol must be disabled (advanced configuration tab in the Network>Interfaces module), in order to allow this traffic to be filtered.
IPsec tunnels are also compatible with IPv6; tunnels can therefore be set up between two IPv6 endpoints and both IPv4 and IPv6 traffic may go through them. Conversely, IPv6 traffic may also go through IPv4 IPsec tunnels.