Support Center > Search Results > SecureKnowledge Details
IPv6 Limitations on Quantum Spark Appliances Technical Level
Solution

This article lists all known limitations for R80.20.X firmware versions on Quantum Spark Appliances.

Non-Supported Features

  • Management
  • Networking
  • Security
  • Services

Known Limitations

  • Gaia Clish
  • Gaia WebUI
  • Networking
  • Access and NAT
  • Threat Prevention
  • Identity Awareness
  • Management and Log Servers
  • Cluster

Non-Supported Features for IPv6

Management

  • IPv6 is not supported in LSM and SmartProvisioning
  • IPv6 is not supported in Security Management Portal (SMP)

Networking

  • Policy-based routing in IPv6
  • External syslog server 
  • Dynamic Routing 
  • Probing 
  • Single IPv6 Internet connection
  • Bond 
  • Alias IP

Security

  • Threat Emulation (works only in dual-stack)
  • Updatable objects - Geo location
  • FQDN
  • Anti-Spam
  • POP3 support
  • Dynamic objects
  • Route-based Site-to-Site VPN
  • Site-to-Site VPN with multiple links, hostname, dynamic IP address environments
  • VPN Remote Access
  • IPv4 IPsec tunnel over ipv6 non-IPsec tunnel is not supported
  • QoS 
  • Cluster High Availability in pure IPv6
  • NAT64 / NAT46
  • SSL Inspection is supported only on Locally Managed appliances
  • Browser-Based Authentication does not work in pure IPv6

Services

  • Reach My Device (RMD) - does not support pure IPv6 connections
  • Security Management Portal (SMP) - does not support pure IPv6 connections
  • Zero Touch - does not support pure IPv6 connections (you can configure IPv6 CLI configurations)
  • Firmware upgrade service - does not support pure IPv6 connections

Known Limitations

Enter the string to filter this table:

ID Description

Gaia Clish

SMB-2186 In IPv6 mode, you can only configure a bridge to the internet through the WebUI, and not CLISH.

Resolved in build 990171652

Gaia WebUI

SMB-1541 During the reboot after you switch the device to IPv6 mode via the WebUI, a session timeout popup is sometimes shown.

Networking

SMB-15419 Configuring a LAN port as internet connection is not supported with IPv6 internet connection types.
SMB-15266 NTP over IPv6 fails to connect to remote servers in a specific scenario:
1.       Configure IPv6-only NTP server addresses.
2.       Switch from NTP to manual time.
3.       Switch from manual time to NTP.
SMB-137 You cannot configure IPv6 addresses for SNMP Trap Receivers.
SMB-891 When you change a LAN interface that was previously defined with an IPv4 address and DHCP server to be pure IPv6, the DHCPv4 server must be disabled.
SMB-947 In IPv6-mode (dual stack), you can configure multiple IPv4 internet connections in HA/LS mode, but only a single IPv6 internet connection.
SMB-1529 Netflow is not supported for IPv6 traffic. 
SMB-1206 Dynamic routing is not supported for IPv6 traffic. Specific options relevant for IPv6 in dynamic routing CLISH do not apply. 
SMB-1021 Configuring additional loopback interfaces via CLISH does not support dual stack and IPv6. 
SMB-2078 DNS trap functionality in Anti-Malware is not supported for IPv6 traffic. 
SMB-2455 Bridging an IPv4 or IPv6 internet connection which is part of a dual stack is not supported.
You must bridge both of the dual stack internet connections, or separate the connections on different interfaces before bridging. 
SMB-15064 IPv6-only LAN alias isn't supported - an IPv4 address is required for each alias alongside the IPv6 address.

Access and NAT

SMB-70
The ability to inspect 6in4 or 6to4 tunnels using a service called SIT_with_Intra_Tunnel_Inspection, and to handle IPv6 extension headers (see sk39374) are not supported. 
SMB-1256
In Small and Medium Business appliances, NAT related policy changes do not apply immediately on existing ICMPv6 traffic until timeout within the connections table or reboot. New ICMPv6 connections will use the new policy immediately.
SMB-1137
In locally managed appliances, server objects are network objects with automatic access and NAT configuration. In these appliances, server objects do not support IPv6 or dual stack. Functionality for IPv6 addresses can still be obtained by manually configuring access and NAT rules.
SMB-1385  In locally managed appliances, the ability to write a free IP address for a Rule Base source and destination (access, NAT, Threat Prevention exceptions) is only available for IPv4 addresses. For IPv6/dual stack addresses, a network object must be defined and used. 
SMB-1649  NAT64 is not supported for Embedded Gaia appliances (and is not supported in the R80.10 Security Management Server). 
SMB-2122 Manual NAT rules that are configured on a dual stack locally managed cluster and that use "This gateway" object apply only to IPv4 VIP (Virtual IP address of the cluster). To create manual NAT rules for the IPv6 VIP, a manual network object must be created and used. 

Threat Prevention

SMB-15551 Threat emulation is not supported in pure ipv6 mode. It is only supported in dual stack mode.
SMB-490,
SMB-1214,
01170605
Threat Emulation does not support IPv6 traffic on Embedded Gaia appliances.
SMB-86 On Embedded Gaia appliances, the Anti-Spam blade does not support IPv6 traffic.
Refer to sk39374.
SMB-1848  
In centrally managed 1430/1450 appliances, when IPv6 mode is enabled, installing policy with all blades active and a large IPS policy as the built-in strict profile may fail with an "Installation Failed. Reason: Failed to load Policy on Security Gateway" message.
To optimize the IPS profile, refer to sk105217.
SMB-369 POP3 deep inspection is not supported for IPv6 traffic. 

Identity Awareness

SMB-1061 When using AD based rules, to make the rules apply both on IPv6 traffic and IPv4 traffic, the AD server must support dual stack and both its IPv6 and its IPv4 addresses must be configured in the Security policy.
SMB-978 The URL address for the browser based authentication portal in Identity/User awareness needs to use a "<dynamic-ip>" string instead of a hardcoded IP address to work simultaneously in a dual stack environment for both IPv4 and IPv6 traffic.
SMB-1575 In Small Office appliances, when you define a RADIUS server in a dual stack network for authentication purposes (for a captive portal or hotspot), if an IPv4 address is configured, that will be the address used. You can configure an IPv6 address without also configuring an IPv4 address.
In dual stack networks, configure the primary RADIUS server with an IPv4 address only, and the second RADIUS server with an IPv6 address only. 
SMB-2495 "Invalid object name. Name should begin with a letter and contain up to 32 alphanumeric (0-9, a-z, _ -.) characters without spaces" error when creating pure IPv6 Active Directory.

When adding Active Directory as an Authentication Server, it must be configured in Dual Stack mode.

Management and Log Servers

SMB-1467 In the Security Management web page on the gateway, the IP address used in the recent connection between management and gateway is shown. If both are defined with dual stack IPv4 and IPv6 addresses, the web page will still show the single IP address which was used.
SMB-1764 An external syslog server cannot be configured with an IPv6 address. 
SMB-15266 When configuring IPv6-only NTP servers, issues arise when changing mode to manual time and then back to NTP.

Cluster

SMB-1674
In locally managed appliances, to change an existing cluster in pure IPv4 mode to dual stack mode, you should break and rebuild the cluster, as this is a major change in network configuration.
Both members should be configured in IPv6 mode.
VPN
SMB-15573 IPv4 IPsec tunnel over an IPv6 non-IPsec tunnel is not supported.
SMB-15391 Site to site and remote access VPN are not supported when the internet connection is of type DS-Lite.

 

Revision History

Show / Hide revision history

Date Description
12 July 2021 First release of this article

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment