NG Firewalls & IPv6


At security and network tradeshows over the last 15 years, I have asked
companies if their products supported "IPv6". They all claimed they did,
but were unable to verify any successful installations. Later they told me
it was on their "Roadmap" but were unable to provide an estimated year,
because it was a trade secret.

Starting this last year at BlackHat US, I again visited every product
booth, asking if their products supported dual-stack or IPv6 only
operations. Receiving only the same unsupported answers, I decided to focus
on one product category.

To the gurus of the NANOG community, What are your experiences with
installing and managing Next Generations firewalls? Do they support IPv6
only environments? Details? Stories?

If you prefer not to disparage those poor product companies, please contact
me off the list.


Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

I’ve been doing dual stack through Fortinet products for many years without issue. Well, no issue from a technical perspective. Sometimes you have to dig for a bit to find the equivalent v6 CLI commands, and occasionally there’s GUI stuff missing that requires CLI where the v4 equivalent didn’t, but not a bad experience overall. Does v6 vpn’s great too. Haven’t delved into dynamic routing protocols on them so can’t speak to that. Happy to answer questions.


Done Checkpoint, Netscreen, SRX , iptables, nftables IPv6 FW all with
dynamic routing, but only under extreme duress, like I'm sure everyone
who is forced to touch stateful firewalls. Send help.

Seems to me this has mostly worked for over decade, worked in context
where stateful FW can be said to work at all. Of course like in every
other context, IPv6 is second class citizen, so you're going to find
more bugs, as less people are using the feature, there are less people
doing bug scrubbing and fewer people bridging feature gaps. This isn't
going to go away any time soon.

If by NextGen you meant performance, then I recommend to have a look at kipfw over Netmap driver on a FreeBSD 11 box. You buy a couple of Chelsio 40 Gbps or 100 Gbps NIC and you are in business.

It was mentioned here in NANOG couple of years ago. Very good stuff, but you will need to invest a bit of time in writing your own scripts.

It's a kind of bridging firewall though, so you can't route through it IIRC.

If by NextGen you meant features riched, then don't go this way. :wink:


Hey Joe,

I don't know how next-gen they'd be considered, but I've had reasonably good luck with Cisco ASA (v9+), and to a lesser degree Juniper ScreenOS (v6.3+). Modern-ish ASA does v6-only pretty well; ScreenOS has more v4-dependent nuances, that I've found.

I do like the NAT64 support in ASA (although it sadly doesn't support the Well-Known Prefix) -- no love in ScreenOS, as far as I've ever found.

- Jima

We run PaloAlto dual stack with no problems at all, that’s full dynamic routing with OSPF and BGP, web filtering, IPS, VPN access using GlobalProtect, etc.

I must admit GlobalProtect IPv6 support was only introduced in PanOS 8 which was a little late in my opinion – but it was delivered and works.

Dan Kitchen
Managing Director
razorblue | IT Solutions for Business

ddi:0330 122 7143 | t: 0333 344 6 344 | e:<> | w:

Legal and address information for all Razorblue Group companies can be found

We've deployed about a dozen Sophos SG and XG firewalls with IPv6 on WAN,
LAN and VPN with great success. The XG is the firmware with the more modern
appearance and a couple latest-gen features. But the SG is just as "next
gen" and still has good IPv6 capability.

Just don't plan on using dhcp-pd on any of those anytime soon.

My understanding is that it is not even on the roadmap or even considered to have a need for it even though people have been wanting it for quite a while.


Also, IPv6 BGP support was only introduced in PanOS 8. But everything works fine here too.

We've been using DHCP-PD with Sophos SG/XG on a couple Comcast connections
and it works fine. It will even go through all your firewall objects and
automatically change the IPv6 prefix from the old to new if the prefix from
PD changes.

I've used pfSense (BSD firewall) in a dual stack setup. Not all features
are at parity with v4 (the captive portal doesn't support v6, for
example), but the core features of stateful firewall, DHCPv6, etc seemed
to work without any fuss.

Really?? I was looking to install and use as a vm to test with and everything I was reading said it was not implemented and was not on the horizon.

Only version I found from Sophos that was capable was the old Astaro version. I may have to take a second look.

Do you have any links to the configuration from their site you could send off list? Or on list if anyone else is interested.


I’ve been using PfSense @ home dual-stack on Cox for a year or two. As far as I can tell any IPv6 problems are Cox issues.