Migration from Traditional mode to Simplified mode
Tunnel Management (permanent tunnels)
Directional VPN Enforcement
Link Selection
GRE Tunnels
Tunnel View in SmartView Monitor
VPN Overview page
vpn_route.conf configuration file
IPv6 is supported in IPsec VPN communities with the following limitations:
IPv6 is supported for Site-to-Site VPN only (Main IP to Main IP). The Main IP address for both Security Gateways must be defined as an IPv6 Address. You can define other IP addresses that are IPv4 or IPv6.
IPv6 supports IKEv2 encryption only. IKEv2 is automatically always used for IPv6 traffic. The encryption method configuration applies to IPv4 traffic only.
VPN tunneling only supports IPv4 inside an IPv4 tunnel, and IPv6 inside an IPv6 tunnel. IPv4 traffic inside an IPv6 tunnel is not supported.
R76 and higher in VSX mode support IPv6. VSX R68 supports IPv6. Conversion from Security Gateway to VSX with IPv6 Enabled is not supported. Virtual Routers are not supported with IPv6. Refer to sk79700.
61000 / 4100 Appliances support IPv6 in VSX VSLS configuration starting in R76SP.20 (refer to sk116241).
For IPSO OS, if the interfaces are configured for IPv6 prior to Security Gateway installation, all the required IPv6 related files are automatically enabled during the install process. To enable IPv6 functionality at a later stage, run this command and reboot:
Starting from R76, it is possible to operate a Security Gateway (regular or VS mode) entirely with IPv6, except for one IPv4 address that is required on the interface used for management.
For Gaia OS, go to System Management -> System Configuration, turn off IPv6 Support, and click "Apply". Note: this will immediately reboot your gateway!
CLI command: # set ipv6-state off
For SecurePlatform and IPSO, run this command and reboot:
# $FWDIR/scripts/fwipv6_enable off
To disable IPv6 functionality completely, remove the IPv6 license from the Security Management Server and disable IPv6 on all the Security Gateways.
In IPv6, fragmentation is handled by the client. If the Gateway receives a packet that it cannot transmit due to an MTU issue, the Gateway sends back the relevant ICMP message to tell the client they need to send a smaller packet. The client sends the Gateway a smaller (fragmented) packet, which the Gateway does inspect.
By default, the Check Point Security Gateway drops all extension headers, except fragmentation. This can be adjusted by editing the allowed_ipv6_extension_headers section of $FWDIR/lib/table.def file on the Security Management Server.
Furthermore, there is an option to block type zero even if the Routing header is allowed. To block type zero, configure the kernel parameter fw6_allow_rh_type_zero. The default of 0 means it is always blocked. If the value is set to 1, then the action is according to allowed_ipv6_extension_headers.
Many Software Blades are supported with IPv6 in Gaia OS in either Security Gateway mode or VSX mode (includes Firewall, Identity Awareness, Application Control, URL Filtering, IPS (not Geo-Protection), Anti-Bot, Anti-Virus, and Anti-Malware)
The Traditional Anti-Virus mode is not supported
On pre-R80.10, QoS is supported only with IPv4 traffic
Mobile Access Blade Portal and Mobile Enterprise are supported in R77.10 and higher from the client to the Security Gateway only (connection from Security Gateway to backend servers still requires IPv4)
SecurePlatform and IPSO are not supported with IPv6 in R76 and higher
Network Objects support both IPv4 and IPv6 addresses in the same object
The following features are not supported with IPv6 in either Security Gateway mode or VSX mode:
If you define IPv6 rule and the traffic is tunneled in IPv4, the Gateway cannot enforce it unless you use in addition a service called SIT_with_Intra_Tunnel_Inspection.
If the Security Gateway does the tunnel termination, then the firewall kernel does enforces the rule because it sees the IPv6 packet.
Note: this feature requires IPv6 support to be enabled. This is because the tunneled IPv6 traffic is inspected by the IPv6 kernel, not the IPv4 kernel.
Link-local VIP is available only with VRRPv3. The administrator must make sure that all physical link-local addresses are unique. For example, no two interfaces must be configured with fe80::1.
The following are some of the common IPv4 features that are not supported for IPv6:
Security Management Server / Multi-Domain Management Server (communication between Check Point infrastructure/devices using CPMI or SIC is only supported using IPv4)
IPS
SynDefender
QoS
NAT (includes NAT66, NAT64, and NAT46)
Security Servers: CVP,UFP, Authentication, etc.
SAM
CPMAD
Sequence Verification
Boot security
High Availability, Load Sharing, State Synchronization
The IPv6Pack is an optional Gateway package for SecurePlatform that enables additional features for IPv6 traffic (e.g., ClusterXL HA, SecureXL, CoreXL). The IPv6Pack is available for R60, R65 HFA_50 and R70.1 releases on SecurePlatform, as well as for R60 on IPSO. Refer to the Release Notes for the exact list of features enabled in the IPv6Pack.
If unsupported features are used with IPv6, there are no warning or error messages during policy compilation and installation. If unsupported features are used, the results are unpredictable and system crashes or other security related problems may occur.
The changes required to support additional features with IPv6 in R76 and higher utilize OS-related infrastructure not present in SecurePlatform OS or IPSO OS.
