Support Center > Search Results > SecureKnowledge Details
IPv6 Support FAQ for R80.20 and lower Technical Level
For R80.30 and higher, see sk163313 - IPv6 features and limitations in R80.30 and higher

Show All

  • VPN Support with IPv6
    These VPN features are not supported for IPv6:

    • VSX
    • Remote Access VPN
    • CRL fetch for the Internal Certificate Authority
    • Multiple Entry Points (MEP)
    • Route-based VPN (VTI)
    • Wire Mode VPN
    • Gateways with a dynamic IP address
    • Route Injection Mechanism (RIM)
    • Traditional mode Firewall Policies
    • IKE Denial of Service protection
    • IKE Aggressive Mode
    • Gateways with Dynamic IP addresses
    • Traditional Mode VPN
    • Migration from Traditional mode to Simplified mode
    • Tunnel Management (permanent tunnels)
    • Directional VPN Enforcement
    • Link Selection
    • GRE Tunnels
    • Tunnel View in SmartView Monitor
    • VPN Overview page
    • vpn_route.conf configuration file

    IPv6 is supported in IPsec VPN communities with the following limitations:

    • IPv6 is supported for Site-to-Site VPN only (Main IP to Main IP). The Main IP address for both Security Gateways must be defined as an IPv6 Address. You can define other IP addresses that are IPv4 or IPv6.
    • IPv6 supports IKEv2 encryption only. IKEv2 is automatically always used for IPv6 traffic. The encryption method configuration applies to IPv4 traffic only.
    • VPN tunneling only supports IPv4 inside an IPv4 tunnel, and IPv6 inside an IPv6 tunnel. IPv4 traffic inside an IPv6 tunnel is not supported.
  • Does VSX support IPv6?
    • R76 and higher in VSX mode support IPv6.
      VSX R68 supports IPv6.
      Conversion from Security Gateway to VSX with IPv6 Enabled is not supported.
      Virtual Routers are not supported with IPv6. Refer to sk79700.

    • 61000 / 4100 Appliances support IPv6 in VSX VSLS configuration starting in R76SP.20 (refer to sk116241).

  • Do you need a license to enable support for IPv6?

    No IPv6-specific license is required on the Security Gateway.

    Starting from R75.40, no special license is required on the Security Management Server or Multi-Domain Management Server.

  • New IPv6 support
    R80.20 introduces support for:

    • NAT46 and NAT64
    • IPv6 MD5 for BGP
    • IPv6 OSPF multiple instances

    Advanced Routing and Clustering Enhancements Hotfix for R80.10 introduces support for:

    • IPv6 MD5 for BGP
    • IPv6 Dynamic Routing with ClusterXL
    • IPv6 OSPF multiple instances
  • Features not supported with IPv6
    The following features are NOT supported:

    • ClusterXL Load Sharing
    • Mobile IPv6
    • SAM
    • CPMAD
    • Security Servers: CVP, UFP, Authentication, etc.
    • Prefix Delegation
  • Is Full HA supported with IPv6?
    Full HA is supported with the following limitations:
    • Dual Stack Only (Full HA requires use of IPv4)
      • Monitored Interfaces must have IPv4 addresses
      • Sync traffic is also IPv4
  • How to enable IPv6 support on the Security Gateway

    For Gaia OS, go to System Management -> System Configuration, turn on IPv6 Support, and click "Apply". 
    CLI command: # set ipv6-state on

    For SecurePlatform OS, refer to sk34552.

    For IPSO OS, if the interfaces are configured for IPv6 prior to Security Gateway installation, all the required IPv6 related files are automatically enabled during the install process. To enable IPv6 functionality at a later stage, run this command and reboot:

    ipso[admin]# $FWDIR/scripts/fwipv6_enable

    Note: This requires a reboot to activate!

  • Can I have a Security Gateway that only runs IPv6?

    Starting from R76, it is possible to operate a Security Gateway (regular or VS mode) entirely with IPv6, except for one IPv4 address that is required on the interface used for management.

  • How to disable IPv6 on the machine

    For Gaia OS, go to System Management -> System Configuration, turn off IPv6 Support, and click "Apply".
    Note: this will immediately reboot your gateway!

    CLI command: # set ipv6-state off

    For SecurePlatform and IPSO, run this command and reboot:

    # $FWDIR/scripts/fwipv6_enable off

    To disable IPv6 functionality completely, remove the IPv6 license from the Security Management Server and disable IPv6 on all the Security Gateways.

  • How does the Security Gateway handle fragmented IPv6 traffic?
    In IPv6, fragmentation is handled by the client. If the Gateway receives a packet that it cannot transmit due to an MTU issue, the Gateway sends back the relevant ICMP message to tell the client they need to send a smaller packet. The client sends the Gateway a smaller (fragmented) packet, which the Gateway does inspect.
  • How to handle IPv6 Extension Headers
    By default, the Check Point Security Gateway drops all extension headers, except fragmentation. This can be adjusted by editing the allowed_ipv6_extension_headers section of $FWDIR/lib/table.def file on the Security Management Server.

    Furthermore, there is an option to block type zero even if the Routing header is allowed. To block type zero, configure the kernel parameter fw6_allow_rh_type_zero. The default of 0 means it is always blocked. If the value is set to 1, then the action is according to allowed_ipv6_extension_headers.
  • IPv6 support in R77.x, and R80.x
    • Many Software Blades are supported with IPv6 in Gaia OS in either Security Gateway mode or VSX mode (includes Firewall, Identity Awareness, Application Control, URL Filtering, IPS (not Geo-Protection), Anti-Bot, Anti-Virus, and Anti-Malware)
    • The Traditional Anti-Virus mode is not supported
    • On pre-R80.10, QoS is supported only with IPv4 traffic
    • Mobile Access Blade Portal and Mobile Enterprise are supported in R77.10 and higher from the client to the Security Gateway only (connection from Security Gateway to backend servers still requires IPv4)
    • SecurePlatform and IPSO are not supported with IPv6 in R76 and higher
    • Network Objects support both IPv4 and IPv6 addresses in the same object
    • The following features are not supported with IPv6 in either Security Gateway mode or VSX mode:
      • Dynamic Objects
      • Groups with Exclusions
      • Legacy URL Filtering
      • Rules with Resources
      • Legacy Authentication methods (Client/User/Session Auth)
      • OSE Devices
      • User Authority
      • Some OPSEC Protocols (LEA, ELA, CVP, UFP, SAM)
      • SmartView Tracker does not show IPv6 information
      • SecurePlatform OS R76 and higher
      • IPSO OS with R76 and higher
      • On pre-R80.10, QoS is supported with IPv4 traffic only
      • ClusterXL Load Sharing
      • HTTPS Inspection (However, it can be activated with some limitations. See sk90840.)
    • SecureXL is supported
    • CoreXL is supported
    • ClusterXL supports High Availability clusters for IPv6
    • High Availability is supported in VRRPv3 only
    • Dynamic Routing is supported in VRRPv3
    • NAT46:
      • supported in R76 as part of R76.LTE (Long Term Evolution) Hotfix (refer to sk95768)
      • supported in R77.10 as part of R77.10.LTE Hotfix (refer to sk100446)
      • supported in R80.20 and higher
    • NAT64 is supported in R77.30 (requires R77.30 Add-On) and from R80.20
    • NAT66 is supported
    • The following features are supported in Security Gateway mode, but not in VSX mode:
      • IPv6 Dynamic Routing
      • Site-to-Site VPN
  • Can we inspect 6in4 or 6to4 tunnels?

    If you define IPv6 rule and the traffic is tunneled in IPv4, the Gateway cannot enforce it unless you use in addition a service called SIT_with_Intra_Tunnel_Inspection.

    If the Security Gateway does the tunnel termination, then the firewall kernel does enforces the rule because it sees the IPv6 packet.

    Note: this feature requires IPv6 support to be enabled. This is because the tunneled IPv6 traffic is inspected by the IPv6 kernel, not the IPv4 kernel.

  • Can link-local addresses be used for virtual IPs in ClusterXL and/or VRRP?
    Link-local VIP is available only with VRRPv3. The administrator must make sure that all physical link-local addresses are unique. For example, no two interfaces must be configured with fe80::1.
  • Does SmartConsole support IPv6?
    Yes. However, the operating system on which SmartConsole is installed must be configured to work with IPv6.

OLd versions

  • What are the most common unsupported features/products with IPv6 in pre-R76 versions?
    The following are some of the common IPv4 features that are not supported for IPv6:
    • Security Management Server / Multi-Domain Management Server (communication between Check Point infrastructure/devices using CPMI or SIC is only supported using IPv4)
    • IPS
    • SynDefender
    • QoS
    • NAT (includes NAT66, NAT64, and NAT46)
    • Security Servers: CVP,UFP, Authentication, etc.
    • SAM
    • CPMAD
    • Sequence Verification
    • Boot security
    • High Availability, Load Sharing, State Synchronization
    • CoreXL
    • SecureXL
    • ClusterXL HA (see sk35178)
    • VSX
    • Dynamic Routing (SecurePlatform based platforms)
    • Software Blades other than Firewall
    • Other features not explicitly mentioned as supported with IPv6
  • IPv6 support in R75.4x and R75.40VS
    • Has IPv6 for firewall with CoreXL, ClusterXL HA and SecureXL for IPv6 on SecurePlatform and Gaia
    • No IPv6 support for other Software Blades (including VPN)
    • No IPv6-related NAT (either v6 to v4, v4 to v6, or v6 to v6)
    • No ClusterXL Load Sharing
    • No support for IPv6 dynamic routing on SecurePlatform or Gaia (IPSO supports this)
  • What is the IPv6Pack?
    The IPv6Pack is an optional Gateway package for SecurePlatform that enables additional features for IPv6 traffic (e.g., ClusterXL HA, SecureXL, CoreXL). The IPv6Pack is available for R60, R65 HFA_50 and R70.1 releases on SecurePlatform, as well as for R60 on IPSO.
    Refer to the Release Notes for the exact list of features enabled in the IPv6Pack.
  • Does any release incorporate IPv6Pack-level functionality?
    R75.40 and higher for SecurePlatform and Gaia incorporates IPv6 support for CoreXL, SecureXL, and ClusterXL HA. No special hotfix is required.
  • Without IPv6Pack installed in pre-R75.40 releases, what features are supported in Security Gateway?
    The following is a list of supported features in the standard Security Gateway releases:
    • Dual IP Stack IPv4 and IPv6 firewall
    • IPv6 and IPv4 policy based access control
    • Dynamically updated defenses
    • Logging
    • FTP Active and FTP Passive services
    • Regular TCP and UDP services (like HTTP, SMTP, Telnet, etc.)
    • DNS
    • ICMPv6 service
    • RIPng
    • Traceroute6
    • IPv6 'Other' services
    • IPv6 fragments
    • IPv6 extension headers
    • IPv6 in IPv4 tunnels
    • fw6 command, for interfacing with the IPv6 kernel
    • VRRP with IPSO 3.8.1 and higher
  • What IPv6 features are supported in VSX R68?
    The following is a list of IPv6-specific features supported in VSX R68:
    • IPv6 RFC support:
      • RFC 1981: Path Maximum Transmission Unit Discovery for IPv6
      • RFC 2462: IPv6 Stateless Address Auto-configuration
      • RFC 4007: IPv6 Scoped Address Architecture
      • RFC 4193: Unique Local IPv6 Unicast Addresses
      • RFC 4291: IPv6 Addressing Architecture
      • RFC 5952: A Recommendation for IPv6 Address Text Representation
    • IPv6 Anti-Spoofing
    • IPv6 IPS Protections:
      • Non-compliant DNS for UDP traffic
      • DNS Domains Block List for UDP traffic
      • ICMPv6 Maximum Ping Size
      • ICMPv6 Small PMTU Bandwidth Attack
    • 6in4 tunnel support
    • Secure XL accelerates IPv6 traffic
    • Cluster XL IPv6 support:
      • State synchronization support for IPv6 connections
      • High Availability and VSLS support for IPv6
    • STP Bridge Mode IPv6 Support
    • IPv6 support for source-based routing
  • Is there any performance degradation when IPv6 is enabled?
    In releases prior to R75.40 where IPv6Pack is not installed, enabling IPv6 has the following impact:
    • CoreXL is disabled
    • SecureXL accelerates only IPv4 traffic
  • Is there any protection if unsupported features are used with IPv6?
    If unsupported features are used with IPv6, there are no warning or error messages during policy compilation and installation. If unsupported features are used, the results are unpredictable and system crashes or other security related problems may occur.
  • Why do SecurePlatform and IPSO not support IPv6 in R76 and higher?
    The changes required to support additional features with IPv6 in R76 and higher utilize OS-related infrastructure not present in SecurePlatform OS or IPSO OS.
  • Which IPSO release has support for IPv6 for Security Gateway?
    IPSO 3.7 and higher has support for IPv6 in Security Gateway.

Related solutions:

Imported from Nokia support database
This solution is about products that are no longer supported and it will not be updated

Give us Feedback
Please rate this document