nanog mailing list archives
RE: NG Firewalls & IPv6
From: Robert Webb <rwebb () ropeguru com>
Date: Wed, 4 Apr 2018 16:06:49 +0000
Just don't plan on using dhcp-pd on any of those anytime soon. My understanding is that it is not even on the roadmap or even considered to have a need for it even though people have been wanting it for quite a while. Robert -----Original Message----- From: NANOG <nanog-bounces () nanog org> On Behalf Of Adam Kennedy via NANOG Sent: Wednesday, April 4, 2018 11:27 AM To: NANOG list <nanog () nanog org> Subject: Re: NG Firewalls & IPv6 We've deployed about a dozen Sophos SG and XG firewalls with IPv6 on WAN, LAN and VPN with great success. The XG is the firmware with the more modern appearance and a couple latest-gen features. But the SG is just as "next gen" and still has good IPv6 capability. -- Adam Kennedy, Network & Systems Engineer adamkennedy () watchcomm net *Watch Communications* (866) 586-1518 On Wed, Apr 4, 2018 at 1:44 AM, Jima <nanog () jima us> wrote:
Hey Joe, I don't know how next-gen they'd be considered, but I've had reasonably good luck with Cisco ASA (v9+), and to a lesser degree Juniper ScreenOS (v6.3+). Modern-ish ASA does v6-only pretty well; ScreenOS has more v4-dependent nuances, that I've found. I do like the NAT64 support in ASA (although it sadly doesn't support the Well-Known Prefix) -- no love in ScreenOS, as far as I've ever found. - JimaOn Apr 2, 2018, at 16:58, Joe Klein <jsklein () gmail com> wrote: All, At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they toldmeit was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret. Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided tofocuson one product category. To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories? If you prefer not to disparage those poor product companies, pleasecontactme off the list. Thanks, Joe Klein "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene1)PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
Current thread:
- NG Firewalls & IPv6 Joe Klein (Apr 02)
- Re: NG Firewalls & IPv6 David Hubbard (Apr 02)
- Re: NG Firewalls & IPv6 Saku Ytti (Apr 03)
- Re: NG Firewalls & IPv6 Jean | ddostest.me via NANOG (Apr 03)
- Re: NG Firewalls & IPv6 Saku Ytti (Apr 03)
- Re: NG Firewalls & IPv6 Jima (Apr 03)
- Re: NG Firewalls & IPv6 Adam Kennedy via NANOG (Apr 04)
- RE: NG Firewalls & IPv6 Robert Webb (Apr 04)
- Re: NG Firewalls & IPv6 Adam Kennedy via NANOG (Apr 04)
- RE: NG Firewalls & IPv6 Dan Kitchen (Apr 04)
- Re: NG Firewalls & IPv6 Chuck Anderson (Apr 04)
- Re: NG Firewalls & IPv6 Adam Kennedy via NANOG (Apr 05)
- RE: NG Firewalls & IPv6 Robert Webb (Apr 05)
- Re: NG Firewalls & IPv6 Chuck Anderson (Apr 04)
- Re: NG Firewalls & IPv6 David Hubbard (Apr 02)
- Re: NG Firewalls & IPv6 Blake Hudson (Apr 05)
- Re: NG Firewalls & IPv6 Keith Stokes (Apr 05)