After configuring IPv6 dataplane interface, firewall never uses IPv4 address when PING is used for hostname resolution on management interface of Firewall.

After configuring IPv6 dataplane interface, firewall never uses IPv4 address when PING is used for hostname resolution on management interface of Firewall.

178
Created On 07/28/25 18:27 PM - Last Modified 11/13/25 00:18 AM


Symptom


  • Management interface is configured with IPv4 address and one of the dataplane interface has IPv6 address configured.
  • When ping is used for hostname resolution it uses IPv6 address eventhough management interface is only configured with IPv4 address.
    admin@Lab33-26-PA-5420> ping host google.com
PING google.com(ra-in-f101.1e100.net (2a00:1450:4025:401::65)) 56 data bytes
From 2607:f388:0:30c::1 (2607:f388:0:30c::1): icmp_seq=1 Destination unreachable: Address unreachable
From 2607:f388:0:30c::1 (2607:f388:0:30c::1): icmp_seq=5 Destination unreachable: Address unreachable
From 2607:f388:0:30c::1 (2607:f388:0:30c::1): icmp_seq=8 Destination unreachable: Address unreachable
^C
--- google.com ping statistics ---
11 packets transmitted, 0 received, +3 errors, 100% packet loss, time 260ms
pipe 4
  • Even after using management IP as source, Firewall uses IPv6 address and also creates session on IPv6.
    admin@Lab33-26-PA-5420> ping source 10.194.33.26 host google.com
PING google.com(ra-in-f113.1e100.net (2a00:1450:4025:401::71)) from 2607:f388:0:30c::1 : 56 data bytes
^C
--- google.com ping statistics ---
40 packets transmitted, 0 received, 100% packet loss, time 945ms
  • Session created by Firewall:
    admin@Lab33-26-PA-5420> show session all 


--------------------------------------------------------------------------------
ID          Application    State   Type Flag  Src[Sport]/Zone/Proto (translated IP[Port])
Vsys                                          Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
50           ping6          ACTIVE  FLOW       2607:f388:0:30c:0:0:0:1[59335]/L3-Trust/58
vsys1                                          2a00:1450:4025:401:0:0:0:71[28]/L3-Trust

Environment


  • All Firewalls
    • PAN OS 10.2 and later

Cause


  • The underlying behavior of PING protocol is independent of PANOS. The PING protocol sending only A(IPv4 DNS record) request in 10.1 vs both AAAA(IPv6 DNS record) + A(IPv4 DNS record) request in 10.2  can be attributed to the version change between both the releases.
Panos 10.1 --->
[root@Lab34-188-PA-3260 ~]#  ping -V
ping utility, iputils-s20121221 <<<<

Panos 10.2 --->
[root@Lab33-26-PA-5420 ~]# ping -V
ping utility, iputils-s20180629 <<<<

Resolution


  • We can enable IPv6 on management interface along with dataplane interface and then ping to any hostname which will use management interface IPv6 for DNS resolution.
    Or 
  • We can use a dummy IPv6 address on management interface, where only IPv4 resolution will work.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000fxwuKAA&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail