Support Center > Search Results > SecureKnowledge Details
R80.30 IPv6 features and limitations
Solution

 

This article summerize the supported features and the limitations of IPv6 in Gaia OS R80.30:

Note: This article is related to R80.30 2.6.18 GA (T200) and to R80.30 3.10 GA (T300).

Supported Features

  • IPsecVPN
  • SecureXL
  • CoreXL
  • ClusterXL High Availability mode
  • ClusterXL Load Sharing with ipv6 VPN
  • VSX
  • SSL Inspection
  • VSX VSLS in 64000 / 61000 / 44000 / 4100 Appliances
  • Several Software Blades in either Security Gateway mode or VSX mode (includes Firewall, Identity Awareness, Application Control, URL Filtering, IPS (not Geo-Protection), Anti-Bot, Anti-Virus, Anti-Malware, Threat Emulation and Threat Extraction)
  • Support for locally and centrally managed 700 / 1400 / 1200R appliances.
  • All IPv6 status information is synchronized and the IPv6 clustering mechanism is activated during fail-over.
  • Mobile Access Blade Portal and Mobile Enterprise are supported from the client to the Security Gateway only (connection from Security Gateway to backend servers still requires IPv4)
  • Capsule Connect (iOS)
  • Network Objects support both IPv4 and IPv6 addresses in the same object
  • Netflow reporting of IPv6 Connections
  • SynDefender
  • Dynamic Routing support for IPv6 (in ClusterXL for gateway-mode and VSX mode, and in VRRPv3 for gateway-mode):
    • BGP including IPv6 MD5 authentication for BGP
    • BFD support
    • Graceful Restart
    • OSPF including
    • Multiple Instances
    • RIPng for IPv6
    • DHCP Relay
    • Inbound Route Filtering
    • Route Redistribution
  • SmartConsole Support IPv6 - provided the operating system on which SmartConsole is installed is configured to work correctly with IPv6.
  • Dual IP Stack IPv4 and IPv6 firewall
  • IPv6 and IPv4 policy based access control
  • Dynamically updated defenses
  • Logging
  • FTP Active and FTP Passive services
  • Regular TCP and UDP services (like HTTP, SMTP, Telnet, etc.)
  • DNS
  • ICMPv6 service
  • Traceroute6
  • IPv6 'Other' services
  • IPv6 fragments
  • IPv6 extension headers
  • IPv6 in IPv4 tunnels
  • fw6 command, for interfacing with the IPv6 kernel
  • NAT66
  • NAT46 (Kernel 2.6.18)
  • NAT64 (Kernel 2.6.18)
  • HTTPS Inspection (However, it can be activated with some limitations. See sk90840.)
  • Gateways with a dynamic IP address
  • Dynamic Objects
  • Groups with Exclusions
  • The following features are supported in Security Gateway mode, but not in VSX mode:
    • Site-to-Site VPN
  • Full HA is supported with the following limitations:
    • Dual Stack Only (Full HA requires use of IPv4)
      • Monitored Interfaces must have IPv4 addresses
      • Sync traffic is also IPv4
  • IPv6-specific features supported in VSX
    • IPv6 Anti-Spoofing
    • IPv6 IPS Protections:
      • Non-compliant DNS for UDP traffic
      • DNS Domains Block List for UDP traffic
      • ICMPv6 Maximum Ping Size
      • ICMPv6 Small PMTU Bandwidth Attack
    • 6in4 tunnel support
    • Cluster XL IPv6 support:
      • State synchronization support for IPv6 connections
      • High Availability and VSLS support for IPv6
    • STP Bridge Mode IPv6 Support



Limitations

The following features are not supported with IPv6 on Gaia OS R80.30:

  • Capsule VPN (android)
  • SAM
  • CPMAD
  • Security Servers: CVP, UFP, Authentication, etc.
  • Threat Extraction for Web-downloaded files
  • Anti-Bot DNS Trap
  • Anti-Bot Suspicious Mail Activity protection
  • Dynamic Routing Features which are not supported with IPv6 include:
    • Policy Based Routing
    • PIM IPv6
    • ECMP
    • IP Broadcast Helper
    • VRRPv3 with PIM, Simplified VRRP configuration and Autodetection
    • IPv6 support for source-based routing
  • Netflow: IPv6 Netflow collectors
  • NAT46 (Kernel 3.10)
  • NAT64 (Kernel 3.10)
  • 1500 appliance series
  • The following VPN features are not supported for IPv6:
    • VSX:
      • Conversion from Security Gateway to VSX with IPv6 Enabled is not supported
      • VSX support Virtual Routers are not supported with IPv6. Refer to sk79700
    • Remote Access VPN
    • CRL fetch for the internal Certificate Authority
    • Multiple Entry Points (MEP)
    • Route-based VPN (VTI)
    • Wire Mode VPN
    • Route Injection Mechanism (RIM)
    • Traditional mode Firewall Policies
    • IKE Denial of Service protection
    • IKE Aggressive Mode
    • Traditional Mode VPN
    • Migration from Traditional mode to Simplified mode
    • Tunnel Management (permanent tunnels)
    • Directional VPN Enforcement
    • Link Selection
    • GRE Tunnels
    • Tunnel View in SmartView Monitor
    • VPN Overview page
    • vpn_route.conf configuration file
  • Prefix Delegation
  • Traditional Anti-Virus mode
  • Legacy URL Filtering
  • Rules with Resources
  • Legacy Authentication methods (Client/User/Session Auth)
  • OSE Devices
  • User Authority
  • Some OPSEC Protocols (LEA, ELA, CVP, UFP, SAM)
  • IPv6 addresses are not supported for RADIUS servers
  • IPV6 is not supported on 600 / 1100 SMB appliances
  • The "vsx_util change_mgmt_subnet" command does not support IPv6
  • IPv6 addresses for management interface
  • Multi-Domain Security Management
  • CRL validation is not supported in pure IPv6 environments (when IPv4 addresses are not configured on the Security Gateway's interfaces).
  • Security Management Server / Multi-Domain Management Server (communication between Check Point infrastructure/devices using CPMI or SIC is only supported using IPv4)
  • Sequence Verification
  • Boot security

 

In context of the Management environment itself, there are two main limitations where IPv6 is not supported:

  1. Management servers must use IPv4 as their main IPs and cannot communicate with each other over IPv6.
    • For example, two Management servers cannot perform HA sync with each other over IPv6.
  2. Management servers cannot manage gateways that have IPv6 as their primary IP.
    • For example, the Management cannot install policy to a gateway target that has an IPv6 address.

 

IPv6 Traffic Handling

All tables contain real IPv6 addresses and there is no difference between how we inspect packets between v4 and v6. 

Performance with IPv6 enabled

Enabling IPv6 support has some performance implications on both IPv6 and IPv4 traffic. More memory is needed for IPv6 versions of CoreXL and SecureXL (Performance Pack), which will reduce IPv4 concurrent connection capacity by approximately 30% (exact amount depends on available memory). IPv4 packet rate/throughput and connection rate should not be impacted.

For a given appliance, the IPv6 connection rate is apporoximately 40% lower than the corresponding number for IPv4. The concurrent connection rate for IPv6 will be 50% lower than the IPv4 number. In both cases, this is due to the increased memory needed to process IPv6 traffic.

 

Supported IPv6 RFCs

  • RFC 1981 - Path Maximum Transmission Unit Discovery for IPv6
  • RFC 2460 - IPv6 Basic specification
  • RFC 2464 - Transmission of IPv6 Packets over Ethernet Networks
  • RFC 3596 - DNS Extensions to support IPv6
  • RFC 4007 - IPv6 Scoped Address Architecture
  • RFC 4193 - Unique Local IPv6 Unicast Addresses
  • RFC 4213 - Basic Transition Mechanisms for IPv6 Hosts and Routers - 6in4 tunnel is supported
  • RFC 4291 - IPv6 Addressing Architecture (which replaced RFC1884)
  • RFC 4443 - ICMPv6
  • RFC 4861 - Neighbor Discovery
  • RFC 4862 - IPv6 Stateless Address Auto-configuration
  • RFC 2462: IPv6 Stateless Address Auto-configuration
  • RFC 4007: IPv6 Scoped Address Architecture
  • RFC 5952: A Recommendation for IPv6 Address Text Representation

 

Related solutions:

 

Revision History

Show / Hide revision history

Date Description
08-Jan-2020
  • Added 'NAT46 (Kernel 2.6.18)' and 'NAT64 (Kernel 2.6.18)' to Supported Features
07-Jan-2020
  • Removed 'NAT46' and 'NAT64' from Supported features
  • Removed 'IPv4 and IPv6 Dynamic Routing is no supported' from 'Full HA is supported with the following limitations:'
15-Dec-2019
  • Removed 'IPv6 support for source-based routing' from Supported Features
29 Oct 2019
  • First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment