That is a good point. In order for your PCs to be compromised via ipv6, they would have to be able to establish ipv6 connectivity to each other or to an internet location. If your network is not configured to support ipv6 it will probably only be possible for your clients to communicate with each other via ipv6 on the local LAN meaning they could only be infecting each other. In order for your clients to be receiving traffic from the Internet via ipv6 would probably require routing and ipv6 configuration support that it sounds like your network does not have. If your firewall is passing v6 traffic, it must understand it enough to forward it across interfaces. At this point it does not much matter whether the transport layer is v4 or v6 because this problem is higher up the protocol stack. Setting up your firewall to bypass v6 (i.e. just pass it) was a huge tactical error (might be why your consultant is out of business :) and a bit hard for me to understand. If you want v6 then you would apply the same policies that you do to v4 traffic and if you don't want v6 you would just tell the firewall to drop it. I think it is much more probable that you are receiving malware via ipv4 or even executable attachments that the out of control firewall is not detecting. I can tell you that we use the most current versions of Checkpoint firewalls with all of the malware bells and whistles (megabucks) and they are not still 100% effective all of the time. We stop thousands of hacking and malware attempts per hour but it only takes one to become a big pain to deal with. Steven Naslund Chicago IL -----Original Message----- From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Valdis.Kletnieks@vt.edu Sent: Tuesday, July 05, 2016 9:33 AM To: Edgar Carver Cc: nanog@nanog.org Subject: Re: NAT firewall for IPv6? On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is set to bypass filtering for IPv6.
Do you have any actual evidence (device logs, tcpdump, netflow, etc) that support that train of thought? Remember that your Palo Alto isn't stopping 100% of the icky stuff on the IPv4 side either - the sad truth is that most commercial security software is only able to identify and block between 30% and 70% of the crap that's out in the wild. There's also BYOD issues where a laptop comes in and infects all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on the outside, soft and chewy inside"). In any case,your first two actions should be to recover the password for the Palo Alto, and make sure it has updated pattern definitions in effect on both IPv4 and IPv6 connections. And your third should be to re-examine your vendor rules of engagement, to ensure your deliverables include things like passwords and update support so you're not stuck if your vendor goes belly up..