R76 and above in VSX mode support IPv6. VSX R68 supports IPv6. Conversion from Security Gateway to VSX with IPv6 Enabled is not supported. Virtual Routers are not supported with IPv6. Refer to sk79700.
No IPv6-specific license is required on the Security Gateway.
In R75.40 and above, no special license is required on the Security Management Server or Domain Management Server.
On versions prior to R75.40, a valid IPv6 license is required on the Security Management Server or Provider-1 CMA / Domain Management Server, which will allow the creation of IPv6 Host and Network objects that can be incorporated into the Firewall policy. This license can be obtained for free from the User Center via Products -> Activate Advanced Features.
Note: when using pre-R71 versions of Provider-1, you will also need a license on the Provider-1 MDS.
The IPv6Pack is an optional Gateway package for SecurePlatform that enables additional features for IPv6 traffic (e.g., ClusterXL HA, SecureXL, CoreXL). The IPv6Pack is available for R60, R65 HFA_50 and R70.1 releases on SecurePlatform, as well as for R60 on IPSO. Refer to the Release Notes for the exact list of features enabled in the IPv6Pack.
The following are some of the common IPv4 features that are not supported for IPv6. Note that installing an IPv6 Pack may enable IPv6 support for some (not all) of the features below. Refer to Release Notes for details.
Security Management Server / Provider-1 Server / Multi-Domain Security Management Server (communication between Check Point infrastructure/devices using CPMI or SIC is only supported using IPv4)
NAT (includes NAT66, NAT64, and NAT46)
Security Servers- CVP,UFP, Authentication, etc.
High Availablity, Load Sharing, State Synchronization
Using unsupported features with IPv6 will not give any warning or error messages during policy compilation and installation. If used, results are unpredictable and system crashes or other security related problems might occur.
For Gaia, go to System Management -> System Configuration, turn on IPv6 Support, and click Apply. Note: This requires a reboot to activate!
For IPSO, if the interfaces are configured for IPv6 prior to Security Gateway installation, all the required IPv6 related files would be automatically enabled during the install process. To enable IPv6 functionality at a later stage, run the command below and reboot:
In IPv6, fragmentation is handled by the client. If we receive a packet that we cannot transmit due to an MTU issue, we send back the relevant ICMP message to tell the client they need to send a smaller packet. The client will send us a smaller (fragmented) packet, which of course we will inspect.
By default, Check Point Security Gateway drops all extension headers, except fragmentation. This can be adjusted by editing the allowed_ipv6_extension_headers section of $FWDIR/lib/table.def file on the Security Management Server.
Furthermore, as of R75.40 there is an option to block type zero even if Routing header is allowed. It is configurable via a kernel parameter fw6_allow_rh_type_zero. The default of 0 means it is always blocked. If the value is set to 1, then the action is according to allowed_ipv6_extension_headers.