Commit failed and "IPv6 addresses are not allowed because IPv6-firewalling is disabled" is appeared even though any security rules don't have IPv6 addresses.

Commit failed and "IPv6 addresses are not allowed because IPv6-firewalling is disabled" is appeared even though any security rules don't have IPv6 addresses.

4492
Created On 10/03/22 07:41 AM - Last Modified 02/14/25 03:55 AM


Symptom


  • Commit fails with message "IPv6 addresses are not allowed because IPv6-firewalling is disabled".
  • IPv6 Firewalling is disabled.
  • A security rule doesn't have any IPv6 addresses as source address and destination address.
  • A security rule has more than 1000 FQDN address objects as source address or destination address.


image.png

Environment


  • Palo Alto Firewalls
  • PAN-OS 10.1.x and 10.2.x
  • IPv6 Firewalling

Cause


Software Issue.

Resolution


  1. The issue is fixed under PAN-201269 in 10.1.12, 10.2.8, 11.1.0 and higher codes.
  2. Upgrading to the fixed versions will resolve the issue.
  3. As a workaround, disable AAAA queries on DNS servers that Firewall is setting if IPv6 Firewalling is disabled.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZLgCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language