R76 and above in VSX mode support IPv6. VSX R68 supports IPv6. Conversion from Security Gateway to VSX with IPv6 Enabled is not supported. Virtual Routers are not supported with IPv6. Refer to sk79700.
61000 / 4100 Appliances support IPv6 in VSX VSLS configuration starting in R76SP.20 (refer to sk116241).
No IPv6-specific license is required on the Security Gateway.
In R75.40 and above, no special license is required on the Security Management Server or Domain Management Server.
On versions prior to R75.40, a valid IPv6 license is required on the Security Management Server or CMA / Domain Management Server, which will allow the creation of IPv6 Host and Network objects that can be incorporated into the Firewall policy. This license can be obtained for free from the User Center via Products -> Activate Advanced Features.
The IPv6Pack is an optional Gateway package for SecurePlatform that enables additional features for IPv6 traffic (e.g., ClusterXL HA, SecureXL, CoreXL). The IPv6Pack is available for R60, R65 HFA_50 and R70.1 releases on SecurePlatform, as well as for R60 on IPSO. Refer to the Release Notes for the exact list of features enabled in the IPv6Pack.
The following are some of the common IPv4 features that are not supported for IPv6. Note that installing an IPv6 Pack may enable IPv6 support for some (not all) of the features below. Refer to Release Notes for details.
Security Management Server / Provider-1 Server / Multi-Domain Security Management Server (communication between Check Point infrastructure/devices using CPMI or SIC is only supported using IPv4)
NAT (includes NAT66, NAT64, and NAT46)
Security Servers- CVP,UFP, Authentication, etc.
High Availablity, Load Sharing, State Synchronization
Other features not explicitly mentioned as supported with IPv6
IPv6 is supported in IPsec VPN communities with the following limitations:
IPv6 is supported for Site to Site VPN only (Main IP to Main IP). The Main IP address for both Security Gateways must be defined as an IPv6 Address. You can define other IP addresses that are IPv4 or IPv6.
IPv6 supports IKEv2 encryption only. IKEv2 is automatically always used for IPv6 traffic. The encryption method configuration applies to IPv4 traffic only.
VPN tunneling only supports IPv4 inside an IPv4 tunnel, and IPv6 inside an IPv6 tunnel. IPv4 traffic inside an IPv6 tunnel is not supported.
These VPN features are not supported for IPv6:
Remote Access VPN
CRL fetch for the internal Certificate Authority
Multiple Entry Points (MEP)
Route-based VPN (VTI)
Wire Mode VPN
Gateways with a dynamic IP address
Route Injection Mechanism (RIM)
Traditional mode Firewall Policies
IKE Denial of Service protection
IKE Aggressive Mode
Gateways with Dynamic IP addresses
Traditional Mode VPN
Migration from Traditional mode to Simplified mode
Using unsupported features with IPv6 will not give any warning or error messages during policy compilation and installation. If used, results are unpredictable and system crashes or other security related problems might occur.
For Gaia, go to System Management -> System Configuration, turn on IPv6 Support, and click Apply. Note: This requires a reboot to activate!
For IPSO, if the interfaces are configured for IPv6 prior to Security Gateway installation, all the required IPv6 related files would be automatically enabled during the install process. To enable IPv6 functionality at a later stage, run the command below and reboot:
In IPv6, fragmentation is handled by the client. If we receive a packet that we cannot transmit due to an MTU issue, we send back the relevant ICMP message to tell the client they need to send a smaller packet. The client will send us a smaller (fragmented) packet, which of course we will inspect.
By default, Check Point Security Gateway drops all extension headers, except fragmentation. This can be adjusted by editing the allowed_ipv6_extension_headers section of $FWDIR/lib/table.def file on the Security Management Server.
Furthermore, as of R75.40 there is an option to block type zero even if Routing header is allowed. It is configurable via a kernel parameter fw6_allow_rh_type_zero. The default of 0 means it is always blocked. If the value is set to 1, then the action is according to allowed_ipv6_extension_headers.
Many Software Blades are supported with IPv6 in Gaia OS in either Security Gateway mode or VSX mode (includes Firewall, Identity Awareness, Application Control, URL Filtering, IPS (not Geo-Protection), Anti-Bot, Anti-Virus, and Anti-Malware)
The Traditional Anti-Virus mode is not supported
QoS is supported only with IPv4 traffic
Mobile Access Blade Portal and Mobile Enterprise are supported in R77.10 and above from the client to the Security Gateway only (connection from Security Gateway to backend servers still requires IPv4)
SecurePlatform and IPSO are not supported with IPv6 in R76 and above
Network Objects support both IPv4 and IPv6 addresses in the same object
The following features are not supported with IPv6 in either Security Gateway mode or VSX mode: