Support Center > Search Results > SecureKnowledge Details
IPv6 support for 700 / 1200R / 1400 SMB Appliances
Solution

IPv6 is supported for locally and centrally managed 700 / 1400 / 1200R appliances starting from R77.20.60.

Central management of IPv6 functionality requires R80.10 Security Management Server with Hotfix.
For download links, refer to sk117732 - R77.20.60 for Small and Medium Business Appliances.

Contact Check Point Support for R80.10 Hotfix with IPv6 support for SMB appliances.

Table of Contents

  • Supported Features
  • Known Limitations
  • Related soutions

Supported Features

Networking

  • Single IPv6 internet connection for static IP address, dynamic (SLAAC/DHCP), or PPPoEv6
  • Ability to configure a single PPPoE dialer connection that gets both IPv4 and IPv6 addresses from the ISP
  • Ability to configure a bridge to an external WAN with dual stack or IPv6 address
  • Local network with dual stack / pure IPv6, including tag-based VLAN and wireless
  • SLAAC for internal interfaces
  • DHCPv6 Server for internal interfaces
  • Hotspot DNS and DNS proxy, host names (defined via network objects)
  • Routing (Note: IPv6 routing rules are separate, with no policy-based or dynamic routing.)
  • SNMP
  • NTP
  • Admin access, admin definition and authentication from RADIUS
  • Tools page
  • Local Cluster (supported since build 990171652)

Security

  • NAT
  • Application Control and URL Filtering
  • IPS
  • Anti-Virus (not supported in POP3)
  • Anti-Bot
  • VPN site to site
  • User Awareness (Captive portal and Active Directory), user definition via RADIUS
  • Pure IPv6 / dual stack network objects in all supported Software Blades
  • Cluster High Availability in dual stack networks
  • Gateway behind proxy 
  • Get license from the gateway 
  • Management through IPv6 traffic
  • Locally managed external security Log server

Monitoring

  • Overview page
  • Security logs page
  • Reports/Monitoring pages
  • Active hosts
  • VPN Tunnels
  • Connections view
  • Syslogs view

 

Known Limitations for IPv6

Unsupported Features for IPv6

Platforms

  • IPV6 is not supported on 600 / 1100 appliances

Management

  • IPv6 is not supported in Security Management Server R77.30
  • IPv6 is not supported in LSM and SmartProvisioning
  • IPv6 is not supported in Security Management Portal (SMP) 

Networking

  • Policy based routing in IPv6
  • Prefix delegation
  • External syslog server
  • Dynamic Routing 

Security

  • Threat Emulation
  • Anti-Spam
  • POP3 support 
  • Dynamic objects
  • Route-based VPN site-to-site
  • VPN site-to-site with multiple links, hostname, dynamic IP address environments
  • VPN Remote Access 
  • QoS
  • Cluster High Availability in pure IPv6
  • NAT64 / NAT46
  • SSL Inspection is supported only for centrally managed appliances

 

Table of Contents

  • Command Line Interface (CLI) - CLISH
  • WebUI
  • Threat Prevention
  • Access & NAT
  • Cluster
  • Networking
  • Identity Awareness
  • Management & Log servers
ID Symptoms
Command Line Interface (CLI) - CLISH
SMB-1725 In 600/1100 appliances, the "show interface" CLISH command shows empty IPv6 address-related fields even though these appliances do not support IPv6-mode.
SMB-2186

In IPv6 mode, you can only configure a bridge to the internet through the WebUI, and not CLISH.

  • Resolved in build 990171652
WebUI
SMB-1541 During the reboot after you switch the device to IPv6 mode via the WebUI, a session timeout popup is sometimes shown.
Threat Prevention
SMB-490,
SMB-1214,
01170605
Threat Emulation does not support IPv6 traffic on Embedded Gaia appliances.
SMB-86 On Embedded Gaia appliances, the Anti-Spam blade does not support IPv6 traffic.
Refer to sk39374.
SMB-1848  In centrally managed 1430/1450 appliances, when IPv6 mode is enabled, installing policy with all blades active and a large IPS policy as the built-in strict profile may fail with an "Installation Failed. Reason: Failed to load Policy on Security Gateway" message.
  • To optimize the IPS profile, refer to sk105217.
SMB-369 POP3 deep inspection is not supported for IPv6 traffic. 
Access & NAT
SMB-70 The ability to inspect 6in4 or 6to4 tunnels using a service called SIT_with_Intra_Tunnel_Inspection, and to handle IPv6 extension headers (see sk39374) are not supported. 
SMB-1256  In Small and Medium Business appliances, NAT related policy changes do not apply immediately on existing ICMPv6 traffic until timeout within the connections table or reboot. New ICMPv6 connections will use the new policy immediately.
SMB-1137  In locally managed appliances, server objects are network objects with automatic access and NAT configuration. In these appliances, server objects do not support IPv6 or dual stack. Functionality for IPv6 addresses can still be obtained by manually configuring access and NAT rules.
SMB-1385  In locally managed appliances, the ability to write a free IP address for a Rule Base source and destination (access, NAT, Threat Prevention exceptions) is only available for IPv4 addresses. For IPv6/dual stack addresses, a network object must be defined and used. 
SMB-1649  NAT64 is not supported for Embedded Gaia appliances (and is not supported in the R80.10 Security Management Server). 
SMB-2122 Manual NAT rules that are configured on a dual stack locally managed cluster and that use "This gateway" object apply only to IPv4 VIP (Virtual IP address of the cluster). To create manual NAT rules for the IPv6 VIP, a manual network object must be created and used. 
Cluster
SMB-1674  In locally managed appliances, to change an existing cluster in pure IPv4 mode to dual stack mode, you should break and rebuild the cluster, as this is a major change in network configuration.
  • Both members should be configured in IPv6 mode.
Networking
SMB-137 You cannot configure IPv6 addresses for SNMP Trap Receivers.
SMB-891 When you change a LAN interface that was previously defined with an IPv4 address and DHCP server to be pure IPv6, the DHCPv4 server must be disabled.
SMB-947 In IPv6-mode (dual stack), you can configure multiple IPv4 internet connections in HA/LS mode, but only a single IPv6 internet connection.
SMB-1529 Netflow is not supported for IPv6 traffic. 
SMB-1206 Dynamic routing is not supported for IPv6 traffic. Specific options relevant for IPv6 in dynamic routing CLISH do not apply. 
SMB-1021 Configuring additional loopback interfaces via CLISH does not support dual stack and IPv6. 
SMB-2078 DNS trap functionality in Anti-Malware is not supported for IPv6 traffic. 
SMB-2455 Bridging an IPv4 or IPv6 internet connection which is part of a dual stack is not supported.
  • You must bridge both of the dual stack internet connections, or separate the connections on different interfaces before bridging. 
Identity Awareness
SMB-1061 When using AD based rules, to make the rules apply both on IPv6 traffic and IPv4 traffic, the AD server must support dual stack and both its IPv6 and its IPv4 addresses must be configured in the Security policy.
SMB-978 The URL address for the browser based authentication portal in Identity/User awareness needs to use a "<dynamic-ip>" string instead of a hardcoded IP address to work simultaneously in a dual stack environment for both IPv4 and IPv6 traffic.
SMB-1575 In Small Office appliances, when you define a RADIUS server in a dual stack network for authentication purposes (for a captive portal or hotspot), if an IPv4 address is configured, that will be the address used. You can configure an IPv6 address without also configuring an IPv4 address.
  • In dual stack networks, configure the primary RADIUS server with an IPv4 address only, and the second RADIUS server with an IPv6 address only. 
SMB-2495

"Invalid object name. Name should begin with a letter and contain up to 32 alphanumeric (0-9, a-z, _ -.) characters without spaces" error when creating pure IPv6 Active Directory.

  • When adding Active Directory as an Authentication Server, it must be configured in Dual Stack mode.
Management & Log servers
SMB-1467 In the Security Management web page on the gateway, the IP address used in the recent connection between management and gateway is shown. If both are defined with dual stack IPv4 and IPv6 addresses, the web page will still show the single IP address which was used.
SMB-1764 An external syslog server cannot be configured with an IPv6 address. 

 

Related soution: sk39374 - IPv6 Support FAQ

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment