Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer
 Support Center > Search Results > SecureKnowledge Details
Support Center
 Print    Email
IPv6 Support FAQ

Solution ID: sk39374
Product: Security Gateway, IPSec VPN
Version: R70, R71, R75, NGX R65, R75.40VS, R75.40, R76, R77
Platform / Model: All
Date Created: 14-Apr-2009
Last Modified: 30-Mar-2014
Rate this document
[1=Worst,5=Best]
Solution

Show All

  • Does Security Gateway support IPv6?
    IPv6 is supported on all versions starting with NGX R60 (except NGX R65 HFA 30).


  • Which IPSO release has support for IPv6 for Security Gateway?
    IPSO 3.7 and above has support for IPv6 in Security Gateway.


  • Does VSX support IPv6?
    R76 in VSX mode supports IPv6.
    VSX R68 supports IPv6.
    Conversion from Security Gateway to VSX with IPv6 Enabled is not supported.
    Virtual Routers are not supported with IPv6.


  • Do you need a license to enable support for IPv6?

    No IPv6-specific license is required on the Security Gateway.

    In R75.40 and above, no special license is required on the Security Management Server or Domain Management Server.

    On versions prior to R75.40, a valid IPv6 license is required on the Security Management Server or Provider-1 CMA / Domain Management Server, which will allow the creation of IPv6 Host and Network objects that can be incorporated into the Firewall policy. This license can be obtained for free from the User Center via Products -> Activate Advanced Features.

    Note: when using pre-R71 versions of Provider-1, you will also need a license on the Provider-1 MDS.



  • Is Mobile IPv6 supported?
    Mobile IPv6 is not supported.


  • What is the IPv6Pack?
    The IPv6Pack is an optional Gateway package for SecurePlatform that enables additional features for IPv6 traffic (e.g., ClusterXL HA, SecureXL, CoreXL). The IPv6Pack is available for R60, R65 HFA_50 and R70.1 releases on SecurePlatform, as well as for R60 on IPSO. Refer to the Release Notes for the exact list of features enabled in the IPv6Pack.


  • Does any release incorporate IPv6Pack-level functionality?
    R75.40 and above for SecurePlatform and Gaia incorporates IPv6 support for CoreXL, SecureXL, and ClusterXL HA. No special hotfix is required.


  • Without IPv6Pack installed in pre-R75.40 releases, what features are supported in Security Gateway?
    The following is a list of supported features in the standard Security Gateway releases:
    • Dual IP Stack IPv4 and IPv6 firewall
    • IPv6 and IPv4 policy based access control
    • Dynamically updated defenses
    • Logging
    • FTP Active and FTP Passive services
    • Regular TCP and UDP services (like HTTP, SMTP, Telnet, etc.)
    • DNS
    • ICMPv6 service
    • RIPng
    • Traceroute6
    • IPv6 'Other' services
    • IPv6 fragments
    • IPv6 extension headers
    • IPv6 in IPv4 tunnels
    • fw6 command, for interfacing with the IPv6 kernel
    • VRRP with IPSO 3.8.1 and above


  • What IPv6 features are supported in VSX R68?
    The following is a list of IPv6-specific features supported in VSX R68:
    • IPv6 RFC support:
      • RFC 1981: Path Maximum Transmission Unit Discovery for IPv6
      • RFC 2462: IPv6 Stateless Address Auto-configuration
      • RFC 4007: IPv6 Scoped Address Architecture
      • RFC 4193: Unique Local IPv6 Unicast Addresses
      • RFC 4291: IPv6 Addressing Architecture
    • IPv6 Anti-Spoofing
    • IPv6 IPS Protections:
      • Non-compliant DNS for UDP traffic
      • DNS Domains Block List for UDP traffic
      • ICMPv6 Maximum Ping Size
      • ICMPv6 Small PMTU Bandwidth Attack
    • 6in4 tunnel support
    • Secure XL accelerates IPv6 traffic
    • Cluster XL IPv6 support:
      • State synchronization support for IPv6 connections
      • High Availability and VSLS support for IPv6
    • STP Bridge Mode IPv6 Support
    • IPv6 support for source-based routing


  • What are the most common unsupported features/products with IPv6 in releases prior to R76?
    The following are some of the common IPv4 features that are not supported for IPv6. Note that installing an IPv6 Pack may enable IPv6 support for some (not all) of the features below. Refer to Release Notes for details.
    • Security Management Server / Provider-1 Server / Multi-Domain Security Management Server (communication between Check Point infrastructure/devices using CPMI or SIC is only supported using IPv4)
    • SmartDefense/IPS
    • SynDefender
    • VPN
    • QoS
    • NAT (includes NAT66, NAT64, and NAT46)
    • Security Servers- CVP,UFP, Authentication, etc.
    • SAM
    • CPMAD
    • Sequence Verification
    • Boot security
    • High Availablity, Load Sharing, State Synchronization
    • CoreXL
    • SecureXL
    • ClusterXL (see sk35178)
    • VPN-1 Power VSX
    • Dynamic Routing (SecurePlatform based Platforms)
    • Software Blades other than Firewall
    • Other features not explicitly mentioned as supported with IPv6


  • Is there any performance degradation when IPv6 is enabled?
    In releases prior to R75.40 where IPv6Pack is not installed, enabling IPv6 will have the following impact:
    • CoreXL will be disabled
    • SecureXL will only accelerate IPv4 traffic


  • Is there any protection from not allowing use of the unsupported features?
    Using unsupported features with IPv6 will not give any warning or error messages during policy compilation and installation. If used, results are unpredictable and system crashes or other security related problems might occur.


  • How to enable IPv6 support on the Security Gateway?

    For SecurePlatform, refer to sk34552.

    For Gaia, go to System Management -> System Configuration, turn on IPv6 Support, and click Apply.
    Note: This requires a reboot to activate!

    For IPSO, if the interfaces are configured for IPv6 prior to Security Gateway installation, all the required IPv6 related files would be automatically enabled during the install process. To enable IPv6 functionality at a later stage, run the command below and reboot:

    ipso[admin]# $FWDIR/scripts/fwipv6_enable



  • Can I have a Security Gateway that only runs IPv6?

    In R76, it is possible to operate a Security Gateway (regular or VS mode) entirely with IPv6.

    In releases prior to R76 releases, Management only occurs over IPv4. In this case, all Security Gateways are required to have interfaces configured with valid IPv4 addresses.



  • How to disable IPv6 on the machine?
    To disable IPv6 on a machine with IPv6 enabled in SecurePlatform or IPSO, run the command below and reboot:

    # $FWDIR/scripts/fwipv6_enable off

    In Gaia, go to System Management -> System Configuration, turn off IPv6 Support, and click Apply.
    Note: this will immediately reboot your gateway!

    To disable IPv6 functionality completely, remove the IPv6 license from the Security Management Server and disable IPv6 on all the Security Gateways.



  • How does the gateway handle fragmented IPv6 traffic?
    In IPv6, fragmentation is handled by the client. If we receive a packet that we cannot transmit due to an MTU issue, we send back the relevant ICMP message to tell the client they need to send a smaller packet. The client will send us a smaller (fragmented) packet, which of course we will inspect.


  • How to handle IPv6 Extension Headers
    By default, Check Point Security Gateway drops all extension headers, except fragmentation. This can be adjusted by editing the allowed_ipv6_extension_headers section of $FWDIR/lib/table.def file on the Security Management Server.

    Furthermore, as of R75.40 there is an option to block type zero even if Routing header is allowed. It is configurable via a kernel parameter fw6_allow_rh_type_zero. The default of 0 means it is always blocked. If the value is set to 1, then the action is according to allowed_ipv6_extension_headers.


  • IPv6 support in R75.4x and R75.40VS
    • Has IPv6 for firewall with CoreXL, ClusterXL HA and SecureXL for IPv6 on SecurePlatform and Gaia
    • No IPv6 support for other Software Blades (including VPN)
    • No IPv6-related NAT (either v6 to v4, v4 to v6, or v6 to v6)
    • No ClusterXL Load Sharing
    • No support for IPv6 dynamic routing on SecurePlatform or Gaia (IPSO supports this)


  • IPv6 support in R76 and R77
    • Many Blades are supported with IPv6 in Gaia in either Security Gateway mode or VSX mode (includes Firewall, Identity Awareness, App Control, URL Filtering, IPS, Anti-Bot, Anti-Virus, and Anti-Malware)
    • QoS is only supported with IPv4 traffic
    • Mobile Access Blade Portal and Mobile Enterprise are supported on R77.10 and above from the client to the gateway only (from gateway to backend servers still requires IPv4)
    • SecurePlatform and IPSO are not supported with IPv6 in R76 and above
    • Network Objects support both IPv4 and IPv6 addresses in the same object
    • Many legacy features do not support IPv6
    • CoreXL and SecureXL are supported
    • High Availability supported with VRRP v3 or ClusterXL
    • ClusterXL Load Sharing not supported
    • Dynamic Routing is supported without HA or with VRRPv3 (not ClusterXL)
    • NAT66 is supported
    • The following features are supported in Security Gateway mode but not in VSX Mode:
      • IPv6 Dynamic Routing
      • Site to Site VPN
    • Refer to the R76 Release Notes for additional details and limitations


  • Why does SecurePlatform and IPSO not support IPv6 in R76 and above?
    The changes required to support additional features with IPv6 in R76 and above utilize OS-related infrastructure not present in SecurePlatform or IPSO.


  • Can we inspect 6in4 or 6to4 tunnels?

    If you define IPv6 rule and the traffic is tunneled in IPv4, you will not be able to enforce it unless you use in addition a service called SIT_with_Intra_Tunnel_Inspection.

    If the Security Gateway does the tunnel termination, then the firewall kernel will be able to enforce your rule as it sees the IPv6 packet.

    Note: this feature requires IPv6 support be enabled as the tunneled IPv6 traffic is inspected by the IPv6 kernel (different from the IPv4 one).



  • Can link-local addresses be used for virtual IPs in ClusterXL and/or VRRP?
    Yes, subject to the following limitations:
    • In ClusterXL, only one interface can use link-local addresses
    • In VRRPv3, all interfaces can use link-local addresses provided each interface uses a unique address (i.e. they cannot all be fe80::1).


  • Does SmartDashboard support IPv6?
    Yes, provided the operating system on which SmartDashboard is installed is configured to work correctly with IPv6.


  • Is Full HA supported with IPv6?
    It is supported with the following limitations:
    • No IPv6 Dynamic Routing (ClusterXL Limitation in R76 and above)
      • IPv4 Dynamic Routing is Supported
    • Dual Stack Only (Full HA requires use of IPv4)
      • Monitored Interfaces must have IPv4 addresses
      • Sync traffic is also IPv4


 


 

Related solutions:


Imported from Nokia support database
Give us Feedback
Rate this document
[1=Worst,5=Best]
Additional comments...(Max 2000 characters allowed)
Characters left: 2000