IPv6 Support

Details of supported features

System

ACL

An internal IPv6 network is automatically integrated into the “Network_internals” group.

Configuration: NTP

Firewalls can synchronize their clocks with a time server (NTP server) configured in IPv6.

IPv4/IPv6 administration server

Firewalls can be administered in the same way from a remote host, whether it has IPv4 or IPv6 addresses (web administration and SSH connections). In order to do so, the server must listen on both protocols.

Active Update

The application protection features provided in Active Update (Antispam, Antivirus, etc.) can retrieve their updates from a mirror server that has an IPv6 address.

High availability (HA)

Sessions set up in IPv4 or IPv6 can be transferred on HA links in IPv4.

CLI commands

IPv6 commands are accessible in the module Configuration > CLI Commands in the firewall’s web administration interface.

Network

Interfaces: double stack

Interfaces on the firewall may have IPv4 and IPv6 addresses simultaneously (double stack).

Interfaces: IPv6 addresses only

It is possible to configure a firewall (or simply one of its interfaces) in IPv6 alone.

Interfaces: router advertisements (RA)

The firewall can send out router advertisements and prefixes (RA: Router Advertisement).

Static routing

IPv6 static routes can be defined on the firewall.

Dynamic routing

The dynamic routing engine handles IPv6 routes (RIP / BGP / OSPF protocols).

DHCPv6

The firewall can take on the role of a DHCPv6 server or relay.

Objects

Network objects

Network objects may have only IPv4 addresses, only IPv6 addresses or both (double stack).

Users

Authentication

Users can log on to the web authentication portal regardless of whether the remote host is in IPv4 or IPv6.

Security policy

Filtering

Filter rules may simultaneously contain IPv4 objects, IPv6 objects and IPv4 and IPv6 objects (double stack).

Filtering: rule coherence checker

The coherence checker also applies to rules that include IPv6 objects.

Filtering: IPS

Protocol scans apply to Level 7 protocols transported over IPv6 (example: HTTP, SMTP, etc.).

tab

Quality of service processing can be applied to IPv6 traffic.

IPv6 implicit rules

Implicit rules specific to IPv6 services (router advertisements, DHCPv6) have been added (these rules are listed in the paragraph General points > Implicit rules).

Monitoring

Alarms / Logs

Events raised by IPv6 traffic (alarms, etc.) are saved in log files.

VPN

IPsec IKEv1

IPv4 and/or IPv6 traffic can be transported through IPsec tunnels set up between:

  • IPv6 tunnel endpoints,
  • IPv4 tunnel endpoints.

Notifications

Syslog

Logs can be sent to syslog servers in IPv6.

SNMP server

The SNMP server embeds the MIB-2 in IPv6. It can also generate traps in IPv6.

Unsupported features

In SNS version 4, the following are the main features that are unavailable for IPv6 traffic:

  • IPv6 traffic through IPsec tunnels based on virtual IPsec interfaces (VTI),
  • IPv6 address translation (NATv6),
  • Application inspections (Antivirus, Antispam, URL filtering, SMTP filtering, FTP filtering and SSL filtering),
  • Use of the explicit proxy,
  • DNS cache,
  • SSL VPN portal tunnels,
  • SSL VPN tunnels,
  • Kerberos authentication,
  • Vulnerability management,
  • Modem interfaces (especially PPPoE modems).

General points

Active Update

The firewall’s Active Update service can now be used with update servers configured in IPv6. In this case, a mirror server needs to be installed for updates configured in double stack (IPv4 / IPv6): this server will be able to synchronize in IPv4 with Stormshield Active Update servers, and provision its updates to firewalls in IPv6.

High availability

In cases where the firewall is in high availability and IPv6 has been enabled on it, the MAC addresses of interfaces using IPv6 (other than those in the HA link) must be defined in the advanced properties. Indeed, as local IPv6 link addresses are derived from the MAC address, these addresses will be different, causing routing problems during a switch.

Protocols

Enabling IPv6 support does not modify the IP configuration elements (Application protection > Protocols module).

Implicit rules

Implicit rules specific to the use of IPv6 services have been added and can be enabled or disabled. These rules are as follows:

  • Allow router solicitations (RS) in multicast mode or to the firewall,
  • Allow requests to the DHCPv6 server and DHCPv6 multicast solicitations.