Support Center > Search Results > SecureKnowledge Details
IPv6 Support FAQ
Solution

Show All

  • VPN Support with IPv6
    These VPN features are not supported for IPv6:

    • VSX
    • Remote Access VPN
    • CRL fetch for the internal Certificate Authority
    • Multiple Entry Points (MEP)
    • Route-based VPN (VTI)
    • Wire Mode VPN
    • Gateways with a dynamic IP address
    • Route Injection Mechanism (RIM)
    • Traditional mode Firewall Policies
    • IKE Denial of Service protection
    • IKE Aggressive Mode
    • Gateways with Dynamic IP addresses
    • Traditional Mode VPN
    • Migration from Traditional mode to Simplified mode
    • Tunnel Management (permanent tunnels)
    • Directional VPN Enforcement
    • Link Selection
    • GRE Tunnels
    • Tunnel View in SmartView Monitor
    • VPN Overview page
    • vpn_route.conf configuration file


    IPv6 is supported in IPsec VPN communities with the following limitations:

    • IPv6 is supported for Site-to-Site VPN only (Main IP to Main IP). The Main IP address for both Security Gateways must be defined as an IPv6 Address. You can define other IP addresses that are IPv4 or IPv6.
    • IPv6 supports IKEv2 encryption only. IKEv2 is automatically always used for IPv6 traffic. The encryption method configuration applies to IPv4 traffic only.
    • VPN tunneling only supports IPv4 inside an IPv4 tunnel, and IPv6 inside an IPv6 tunnel. IPv4 traffic inside an IPv6 tunnel is not supported.
  • Which IPSO release has support for IPv6 for Security Gateway?
    IPSO 3.7 and above has support for IPv6 in Security Gateway.
  • Does VSX support IPv6?
    • R76 and above in VSX mode support IPv6.
      VSX R68 supports IPv6.
      Conversion from Security Gateway to VSX with IPv6 Enabled is not supported.
      Virtual Routers are not supported with IPv6.
      Refer to sk79700.

    • 61000 / 4100 Appliances support IPv6 in VSX VSLS configuration starting in R76SP.20 (refer to sk116241).

  • Do you need a license to enable support for IPv6?

    No IPv6-specific license is required on the Security Gateway.

    In R75.40 and above, no special license is required on the Security Management Server or Multi-Domain Management Server.

  • R76 - R77x and R80.10 features not supported by IPv6
    The following features are NOT supported in R76 - R77x and R80.10:

    • ClusterXL Load Sharing
    • NAT46 and NAT64*
      *NAT64 is supported in LTE versions and on R77.30 + Add-on, but NOT in R80.10
    • Mobile IPv6
    • QoS
    • SAM
    • CPMAD
    • Security Servers: CVP, UFP, Authentication, etc.
    • Dynamic Routing in SecurePlatform
  • Is Full HA supported with IPv6?
    It is supported with the following limitations:
    • No IPv6 Dynamic Routing (ClusterXL Limitation in R76 and above)
      • IPv4 Dynamic Routing is Supported
    • Dual Stack Only (Full HA requires use of IPv4)
      • Monitored Interfaces must have IPv4 addresses
      • Sync traffic is also IPv4
  • How to enable IPv6 support on the Security Gateway?

    For SecurePlatform, refer to sk34552.

    For Gaia, go to System Management -> System Configuration, turn on IPv6 Support, and click Apply.
    Note: This requires a reboot to activate!

    For IPSO, if the interfaces are configured for IPv6 prior to Security Gateway installation, all the required IPv6 related files would be automatically enabled during the install process. To enable IPv6 functionality at a later stage, run the command below and reboot:

    ipso[admin]# $FWDIR/scripts/fwipv6_enable

  • Can I have a Security Gateway that only runs IPv6?

    Starting from R76, it is possible to operate a Security Gateway (regular or VS mode) entirely with IPv6.

    In releases prior to R76 releases, Management only occurs over IPv4. In this case, all Security Gateways are required to have interfaces configured with valid IPv4 addresses.

  • How to disable IPv6 on the machine?
    To disable IPv6 on a machine with IPv6 enabled in SecurePlatform or IPSO, run the command below and reboot:

    # $FWDIR/scripts/fwipv6_enable off

    In Gaia, go to System Management -> System Configuration, turn off IPv6 Support, and click Apply.
    Note: this will immediately reboot your gateway!

    To disable IPv6 functionality completely, remove the IPv6 license from the Security Management Server and disable IPv6 on all the Security Gateways.

  • How does the gateway handle fragmented IPv6 traffic?
    In IPv6, fragmentation is handled by the client. If we receive a packet that we cannot transmit due to an MTU issue, we send back the relevant ICMP message to tell the client they need to send a smaller packet. The client will send us a smaller (fragmented) packet, which of course we will inspect.
  • How to handle IPv6 Extension Headers
    By default, Check Point Security Gateway drops all extension headers, except fragmentation. This can be adjusted by editing the allowed_ipv6_extension_headers section of $FWDIR/lib/table.def file on the Security Management Server.

    Furthermore, as of R75.40 there is an option to block type zero even if Routing header is allowed. It is configurable via a kernel parameter fw6_allow_rh_type_zero. The default of 0 means it is always blocked. If the value is set to 1, then the action is according to allowed_ipv6_extension_headers.
  • IPv6 support in R76 and R77
    • Many Software Blades are supported with IPv6 in Gaia OS in either Security Gateway mode or VSX mode (includes Firewall, Identity Awareness, Application Control, URL Filtering, IPS (not Geo-Protection), Anti-Bot, Anti-Virus, and Anti-Malware)
    • The Traditional Anti-Virus mode is not supported
    • QoS is supported only with IPv4 traffic
    • Mobile Access Blade Portal and Mobile Enterprise are supported in R77.10 and above from the client to the Security Gateway only (connection from Security Gateway to backend servers still requires IPv4)
    • SecurePlatform and IPSO are not supported with IPv6 in R76 and above
    • Network Objects support both IPv4 and IPv6 addresses in the same object
    • The following features are not supported with IPv6 in either Security Gateway mode or VSX mode:
      • Dynamic Objects
      • Groups with Exclusions
      • Legacy URL Filtering
      • Rules with Resources
      • Legacy Authentication methods (Client/User/Session Auth)
      • OSE Devices
      • User Authority
      • Some OPSEC Protocols (LEA, ELA, CVP, UFP, SAM)
      • SmartView Tracker does not show IPv6 information
      • SecurePlatform OS R76 and above
      • IPSO OS with R76 and above
      • QoS (supported with IPv4 traffic only)
      • ClusterXL High Availability and Load Sharing
      • HTTPS Inspection (However, it can be activated with some limitations. See sk90840.)
    • SecureXL is supported
    • CoreXL is supported
    • High Availability is supported in VRRPv3 only
    • ClusterXL Load Sharing and High Availability are not supported
    • Dynamic Routing is supported in VRRPv3
    • NAT46:
      • supported in R76 as part of R76.LTE (Long Term Evolution) Hotfix (refer to sk95768)
      • supported in R77.10 as part of R77.10.LTE Hotfix (refer to sk100446)
      • not supported in R77.30 and above 
    • NAT64 is supported in R77.30 (requires R77.30 Add-On
    • NAT66 is supported
    • The following features are supported in Security Gateway mode, but not in VSX mode:
      • IPv6 Dynamic Routing
      • Site-to-Site VPN

  • Why does SecurePlatform and IPSO not support IPv6 in R76 and above?
    The changes required to support additional features with IPv6 in R76 and above utilize OS-related infrastructure not present in SecurePlatform OS or IPSO OS.
  • Can we inspect 6in4 or 6to4 tunnels?

    If you define IPv6 rule and the traffic is tunneled in IPv4, you will not be able to enforce it unless you use in addition a service called SIT_with_Intra_Tunnel_Inspection.

    If the Security Gateway does the tunnel termination, then the firewall kernel will be able to enforce your rule as it sees the IPv6 packet.

    Note: this feature requires IPv6 support be enabled as the tunneled IPv6 traffic is inspected by the IPv6 kernel (different from the IPv4 one).

  • Can link-local addresses be used for virtual IPs in ClusterXL and/or VRRP?
    Link-local VIP is available only with VRRPv3. User must take care that all physical link-local addresses are unique.  For example, no two interfaces must be configured with fe80::1.
  • Does SmartConsole support IPv6?
    Yes, provided the operating system on which SmartConsole is installed is configured to work correctly with IPv6.

Old versions

  • What are the most common unsupported features/products with IPv6 in pre-R76?
    The following are some of the common IPv4 features that are not supported for IPv6:
    • Security Management Server / Multi-Domain Management Server (communication between Check Point infrastructure/devices using CPMI or SIC is only supported using IPv4)
    • IPS
    • SynDefender
    • QoS
    • NAT (includes NAT66, NAT64, and NAT46)
    • Security Servers: CVP,UFP, Authentication, etc.
    • SAM
    • CPMAD
    • Sequence Verification
    • Boot security
    • High Availablity, Load Sharing, State Synchronization
    • CoreXL
    • SecureXL
    • ClusterXL HA (see sk35178)
    • VSX
    • Dynamic Routing (SecurePlatform based platforms)
    • Software Blades other than Firewall
    • Other features not explicitly mentioned as supported with IPv6
  • IPv6 support in R75.4x and R75.40VS
    • Has IPv6 for firewall with CoreXL, ClusterXL HA and SecureXL for IPv6 on SecurePlatform and Gaia
    • No IPv6 support for other Software Blades (including VPN)
    • No IPv6-related NAT (either v6 to v4, v4 to v6, or v6 to v6)
    • No ClusterXL Load Sharing
    • No support for IPv6 dynamic routing on SecurePlatform or Gaia (IPSO supports this)
  • What is the IPv6Pack?
    The IPv6Pack is an optional Gateway package for SecurePlatform that enables additional features for IPv6 traffic (e.g., ClusterXL HA, SecureXL, CoreXL). The IPv6Pack is available for R60, R65 HFA_50 and R70.1 releases on SecurePlatform, as well as for R60 on IPSO.
    Refer to the Release Notes for the exact list of features enabled in the IPv6Pack.
  • Does any release incorporate IPv6Pack-level functionality?
    R75.40 and above for SecurePlatform and Gaia incorporates IPv6 support for CoreXL, SecureXL, and ClusterXL HA. No special hotfix is required.
  • Without IPv6Pack installed in pre-R75.40 releases, what features are supported in Security Gateway?
    The following is a list of supported features in the standard Security Gateway releases:
    • Dual IP Stack IPv4 and IPv6 firewall
    • IPv6 and IPv4 policy based access control
    • Dynamically updated defenses
    • Logging
    • FTP Active and FTP Passive services
    • Regular TCP and UDP services (like HTTP, SMTP, Telnet, etc.)
    • DNS
    • ICMPv6 service
    • RIPng
    • Traceroute6
    • IPv6 'Other' services
    • IPv6 fragments
    • IPv6 extension headers
    • IPv6 in IPv4 tunnels
    • fw6 command, for interfacing with the IPv6 kernel
    • VRRP with IPSO 3.8.1 and above
  • What IPv6 features are supported in VSX R68?
    The following is a list of IPv6-specific features supported in VSX R68:
    • IPv6 RFC support:
      • RFC 1981: Path Maximum Transmission Unit Discovery for IPv6
      • RFC 2462: IPv6 Stateless Address Auto-configuration
      • RFC 4007: IPv6 Scoped Address Architecture
      • RFC 4193: Unique Local IPv6 Unicast Addresses
      • RFC 4291: IPv6 Addressing Architecture
    • IPv6 Anti-Spoofing
    • IPv6 IPS Protections:
      • Non-compliant DNS for UDP traffic
      • DNS Domains Block List for UDP traffic
      • ICMPv6 Maximum Ping Size
      • ICMPv6 Small PMTU Bandwidth Attack
    • 6in4 tunnel support
    • Secure XL accelerates IPv6 traffic
    • Cluster XL IPv6 support:
      • State synchronization support for IPv6 connections
      • High Availability and VSLS support for IPv6
    • STP Bridge Mode IPv6 Support
    • IPv6 support for source-based routing
  • Is there any performance degradation when IPv6 is enabled?
    In releases prior to R75.40 where IPv6Pack is not installed, enabling IPv6 will have the following impact:
    • CoreXL will be disabled
    • SecureXL will only accelerate IPv4 traffic
  • Is there any protection from not allowing use of the unsupported features?
    Using unsupported features with IPv6 will not give any warning or error messages during policy compilation and installation. If used, results are unpredictable and system crashes or other security related problems might occur.

Related solutions:

Imported from Nokia support database

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment