RE: NAT firewall for IPv6?

["Naslund, Steve" <SNaslund () medline com>]

Hard to know where to begin with this one, but let me take a shot at it.

1.  My top priority would be to get into that Palo Alto firewall.  Get Palo Alto on the phone and figure out password 
recovery with them.  Since you don’t have the password it is possible that firewall is compromised.  Do not be 
surprised if you have to jump through some hoops with Palo Alto to prove that you own it and what has happened.  
Remember their job is to keep people out of your network.  They are probably also going to want you to be current on 
support.  If you have to pay to get current on support, do it.  You need that help right now badly.

You could ask Palo Alto how to block the v6 while you are at it or even better set up a rules that mirror your v4 
protection.   I cannot stress enough how big a security issue it is to not have access to your firewall and not know 
who does.

2.  There are lots of ways to shut off ipv6 but my suggestion would be to just secure the Palo Alto firewall, to say 
that any legitimate service should have a ipv4 address is not quite true now and will definitely not be true in the 
near future.

3.  Just about any kind of firewall or router CPE device can block or firewall ipv4 and ipv6 as long as its firmware is 
fairly recent.  However, you would most likely have to replace the Palo Alto with it.  You DO NOT WANT THEM BOTH 
INLINE!  Most likely they are both configured to do ipv4 NAT out of the box and that will not work correctly to have 
them both inline together.  While it is possible to set up that sort of thing to work correctly, it’s a bad idea and 
pretty advanced configuration for a temporary network admin.  The interaction of one firewall fronting another can be 
very difficult to troubleshoot without a deep understanding of what is going on.  Referring back to item 1, you are 
probably going to need to get the configuration of the current firewall if you seek to replace it (there will be rules 
in the Palo Alto that you would want to replicate if you are going to replace it).

4.  Cisco Catalyst as the router.....there could be a lot of things going on in there.  The Catalyst is primarily a 
switch with routing functionality.  It can definitely block ipv6 if configured to do so but we would need to know a lot 
more about its current configuration to give you the best way to do that.  It could just be a service providers switch 
on your premise in which case you can't do much with it.  Again, much easier to accomplish Item 1 with Palo Alto and 
let your firewall do what it is supposed to do.

Steven Naslund
Chicago IL



-----Original Message-----
From: NANOG [mailto:nanog-bounces () nanog org] On Behalf Of Edgar Carver
Sent: Friday, July 01, 2016 9:29 PM
To: nanog () nanog org
Subject: NAT firewall for IPv6?

Hello NANOG community. I was directed here by our network administrator since she is on vacation. Luckily, I minored in 
Computer Science so I have some familiarity.

We have a small satellite campus of around 170 devices that share one external IPv4 and IPv6 address via NAT for 
internet traffic. Internal traffic is over an MPLS.

We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is 
set to bypass filtering for IPv6. Unfortunately, the network admin couldn't give me the password since a local 
consultant set it up, and it seems they went out of business. I need to think outside the box.

Is there some kind of NAT-based IPv6 firewall I can setup on the router that can help block viruses? I figure that's 
the right place to start since all the traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, 
is there an easy way to turn off IPv6 completely? I really don't see a need for it, any legitimate service should have 
an IPv4 address.

I'd really appreciate your advice. I plan to drive out there tomorrow, where I can get the exact model numbers and 
stuff.

Regards,
Dr. Edgar Carver