Details of supported features
An internal IPv6 network is automatically integrated into the “Network_internals” group.
Firewalls can synchronize their clocks with a time server (NTP server) configured in IPv6.
IPv4/IPv6 administration server
Firewalls can be administered in the same way from a remote host, whether it has IPv4 or IPv6 addresses (web administration and SSH connections). In order to do so, the server must listen on both protocols.
The application protection features provided in Active Update (Antispam, Antivirus, etc.) can retrieve their updates from a mirror server that has an IPv6 address.
High availability (HA)
Sessions set up in IPv4 or IPv6 can be transferred on HA links in IPv4.
IPv6 commands are accessible in the module Configuration > CLI Commands in the firewall’s web administration interface.
Interfaces: double stack
Interfaces on the firewall may have IPv4 and IPv6 addresses simultaneously (double stack).
Interfaces: IPv6 addresses only
It is possible to configure a firewall (or simply one of its interfaces) in IPv6 alone.
Interfaces: router advertisements (RA)
The firewall can send out router advertisements and prefixes (RA: Router Advertisement).
IPv6 static routes can be defined on the firewall.
The dynamic routing engine handles IPv6 routes (RIP / BGP / OSPF protocols).
The firewall can take on the role of a DHCPv6 server or relay.
Network objects may have only IPv4 addresses, only IPv6 addresses or both (double stack).
Users can log on to the web authentication portal regardless of whether the remote host is in IPv4 or IPv6.
Filter rules may simultaneously contain IPv4 objects, IPv6 objects and IPv4 and IPv6 objects (double stack).
Filtering: rule coherence checker
The coherence checker also applies to rules that include IPv6 objects.
Protocol scans apply to Level 7 protocols transported over IPv6 (example: HTTP, SMTP, etc.).
Quality of service processing can be applied to IPv6 traffic.
IPv6 implicit rules
Implicit rules specific to IPv6 services (router advertisements, DHCPv6) have been added (these rules are listed in the paragraph General points > Implicit rules).
Alarms / Logs
Events raised by IPv6 traffic (alarms, etc.) are saved in log files. They can also be looked up in the SN Real-Time Monitor application.
IPv4 and/or IPv6 traffic can be transported through IPSec tunnels set up between:
- IPv6 tunnel endpoints,
- IPv4 tunnel endpoints.
Logs can be sent to syslog servers in IPv6.
The SNMP server embeds the MIB-2 in IPv6. It can also generate traps in IPv6.
In version 1.0, the following are features that will not be available for IPv6 traffic:
- IPv6 address translation (NATv6),
- Application inspections (Antivirus, Antispam, URL filtering, SMTP filtering, FTP filtering and SSL filtering),
- Use of the explicit proxy,
- DNS cache,
- SSL VPN portal tunnels,
- SSL VPN tunnels,
- Radius or Kerberos authentication,
- Vulnerability management.
The firewall’s Active Update service can now be used with update servers configured in IPv6. In this case, a mirror server needs to be installed for updates configured in double stack (IPv4 / IPv6): this server will be able to synchronize in IPv4 with Stormshield Active Update servers, and provision its updates to firewalls in IPv6.
In cases where the firewall is in high availability and IPv6 has been enabled on it, the MAC addresses of interfaces using IPv6 (other than those in the HA link) must be defined in the advanced properties. Indeed, as local IPv6 link addresses are derived from the MAC address, these addresses will be different, causing routing problems during a switch.
Enabling IPv6 support does not modify the IP configuration elements (Application protection > Protocols module).
Implicit rules specific to the use of IPv6 services have been added and can be enabled or disabled. These rules are as follows:
- Allow router solicitations (RS) in multicast mode or to the firewall,
- Allow requests to the DHCPv6 server and DHCPv6 multicast solicitations.