Migration from Traditional mode to Simplified mode
Tunnel Management (permanent tunnels)
Directional VPN Enforcement
Tunnel View in SmartView Monitor
VPN Overview page
vpn_route.conf configuration file
IPv6 is supported in IPsec VPN communities with the following limitations:
IPv6 is supported for Site-to-Site VPN only (Main IP to Main IP). The Main IP address for both Security Gateways must be defined as an IPv6 Address. You can define other IP addresses that are IPv4 or IPv6.
IPv6 supports IKEv2 encryption only. IKEv2 is automatically always used for IPv6 traffic. The encryption method configuration applies to IPv4 traffic only.
VPN tunneling only supports IPv4 inside an IPv4 tunnel, and IPv6 inside an IPv6 tunnel. IPv4 traffic inside an IPv6 tunnel is not supported.
R76 and higher in VSX mode support IPv6. VSX R68 supports IPv6. Conversion from Security Gateway to VSX with IPv6 Enabled is not supported. Virtual Routers are not supported with IPv6. Refer to sk79700.
61000 / 4100 Appliances support IPv6 in VSX VSLS configuration starting in R76SP.20 (refer to sk116241).
For IPSO OS, if the interfaces are configured for IPv6 prior to Security Gateway installation, all the required IPv6 related files would be automatically enabled during the install process. To enable IPv6 functionality at a later stage, run the command below and reboot:
In IPv6, fragmentation is handled by the client. If we receive a packet that we cannot transmit due to an MTU issue, we send back the relevant ICMP message to tell the client they need to send a smaller packet. The client will send us a smaller (fragmented) packet, which of course we will inspect.
By default, Check Point Security Gateway drops all extension headers, except fragmentation. This can be adjusted by editing the allowed_ipv6_extension_headers section of $FWDIR/lib/table.def file on the Security Management Server.
Furthermore, there is an option to block type zero even if Routing header is allowed. It is configurable via a kernel parameter fw6_allow_rh_type_zero. The default of 0 means it is always blocked. If the value is set to 1, then the action is according to allowed_ipv6_extension_headers.
Many Software Blades are supported with IPv6 in Gaia OS in either Security Gateway mode or VSX mode (includes Firewall, Identity Awareness, Application Control, URL Filtering, IPS (not Geo-Protection), Anti-Bot, Anti-Virus, and Anti-Malware)
The Traditional Anti-Virus mode is not supported
On pre-R80.10, QoS is supported only with IPv4 traffic
Mobile Access Blade Portal and Mobile Enterprise are supported in R77.10 and higher from the client to the Security Gateway only (connection from Security Gateway to backend servers still requires IPv4)
SecurePlatform and IPSO are not supported with IPv6 in R76 and higher
Network Objects support both IPv4 and IPv6 addresses in the same object
The following features are not supported with IPv6 in either Security Gateway mode or VSX mode:
The IPv6Pack is an optional Gateway package for SecurePlatform that enables additional features for IPv6 traffic (e.g., ClusterXL HA, SecureXL, CoreXL). The IPv6Pack is available for R60, R65 HFA_50 and R70.1 releases on SecurePlatform, as well as for R60 on IPSO. Refer to the Release Notes for the exact list of features enabled in the IPv6Pack.
Using unsupported features with IPv6 will not give any warning or error messages during policy compilation and installation. If used, results are unpredictable and system crashes or other security related problems might occur.