Re: NAT firewall for IPv6?

[Spencer Ryan <sryan () arbor net>]

You emailed the wrong list to say this "Or, ideally, is there an easy way
to turn off IPv6 completely? I
really don't see a need for it, any legitimate service should have an IPv4
address."

Turning off IPv6 is not the right solution, nor will it magically fix your
issues.

Fix the Palo Alto, either hire another consultant or just erase it and
start over. Although even PA's Layer7 inspection won't catch everything and
you should have antivirus/antimailware software on the end user computers.


*Spencer Ryan* | Senior Systems Administrator | sryan () arbor net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Fri, Jul 1, 2016 at 10:28 PM, Edgar Carver <dredgarcarver () gmail com>
wrote:

> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since
> a local consultant set it up, and it seems they went out of business. I
> need to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses? I figure that's the right place to start since
> all the traffic gets funneled there. We have a Cisco Catalyst as a
> router. Or, ideally, is there an easy way to turn off IPv6 completely? I
> really don't see a need for it, any legitimate service should have an IPv4
> address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow,
> where I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver