How to allow all IPv6 traffic while allowing only specific IPv4 traffic through the Palo Alto Firewall.

How to allow all IPv6 traffic while allowing only specific IPv4 traffic through the Palo Alto Firewall.

1166
Created On 03/28/19 05:58 AM - Last Modified 11/07/25 21:01 PM


Objective


  • Allow all IPv6 traffic to pass through the Palo Alto Firewall.
  • Only specific IPv4 traffic should be allowed. All other IPv4 traffic should be dropped.

Environment


  • Palo Alto Firewalls
  • Security Policy

Procedure


  • Address ::/0 includes all IPv6 and IPv4 addresses.
  • A security policy created using ::/0 as the source and destination will allow all IPv6 and IPv4 traffic.
  • IPv4 Addresses are present as a subset of IPv6 Addresses and are represented by the range 0::0-0:0:0:0:0:0:ffff:ffff
  • To allow all IPv6 traffic (and not all IPv4), please follow the steps mentioned below :-
  1. Create the following address object :-
      
    address { 
TESTIPv6 { 
ip-range 0::0-0:0:0:0:0:0:ffff:ffff;
  2. Create a Security policy to deny this as a source/destination. This will block all IPv4 communication.
      
    rules { 
IPv4-deny { 
to any; 
from any; 
source TESTIPv6; 
destination TESTIPv6; 
source-user any; 
category any; 
application any; 
service application-default; 
hip-profiles any; 
action deny; 
disabled no;
  3. Create another Security policy after the "IPv4-deny "with "any" as the source and destination to allow all IPv6 communication.
  4. Security policies allowing IPv4 traffic should be present above the "IPv4-deny" rule.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boTrCAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail