You emailed the wrong list to say this "Or, ideally, is there an easy way to turn off IPv6 completely? I really don't see a need for it, any legitimate service should have an IPv4 address." Turning off IPv6 is not the right solution, nor will it magically fix your issues. Fix the Palo Alto, either hire another consultant or just erase it and start over. Although even PA's Layer7 inspection won't catch everything and you should have antivirus/antimailware software on the end user computers. *Spencer Ryan* | Senior Systems Administrator | sryan@arbor.net *Arbor Networks* +1.734.794.5033 (d) | +1.734.846.2053 (m) www.arbornetworks.com On Fri, Jul 1, 2016 at 10:28 PM, Edgar Carver <dredgarcarver@gmail.com> wrote:
Hello NANOG community. I was directed here by our network administrator since she is on vacation. Luckily, I minored in Computer Science so I have some familiarity.
We have a small satellite campus of around 170 devices that share one external IPv4 and IPv6 address via NAT for internet traffic. Internal traffic is over an MPLS.
We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is set to bypass filtering for IPv6. Unfortunately, the network admin couldn't give me the password since a local consultant set it up, and it seems they went out of business. I need to think outside the box.
Is there some kind of NAT-based IPv6 firewall I can setup on the router that can help block viruses? I figure that's the right place to start since all the traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, is there an easy way to turn off IPv6 completely? I really don't see a need for it, any legitimate service should have an IPv4 address.
I'd really appreciate your advice. I plan to drive out there tomorrow, where I can get the exact model numbers and stuff.
Regards, Dr. Edgar Carver