Not to belabor the point, because it will likely be made frequently in responses, but every legitimate service _should_ have both IPv4 and IPv6 addresses. Get Palo Alto on the horn, and get access to that box. Get it configured properly. I won't hammer you since you're just trying to solve a problem, but v6 is not a second class citizen. You must consider v4 and v6 for these types of issues, and making one or the other 'go away' is simply collecting some tech debt that you'll have to eventually pay off. On Friday, July 1, 2016, Edgar Carver <dredgarcarver@gmail.com> wrote:
Hello NANOG community. I was directed here by our network administrator since she is on vacation. Luckily, I minored in Computer Science so I have some familiarity.
We have a small satellite campus of around 170 devices that share one external IPv4 and IPv6 address via NAT for internet traffic. Internal traffic is over an MPLS.
We're having problems where viruses are getting through Firefox, and we think it's because our Palo Alto firewall is set to bypass filtering for IPv6. Unfortunately, the network admin couldn't give me the password since a local consultant set it up, and it seems they went out of business. I need to think outside the box.
Is there some kind of NAT-based IPv6 firewall I can setup on the router that can help block viruses? I figure that's the right place to start since all the traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, is there an easy way to turn off IPv6 completely? I really don't see a need for it, any legitimate service should have an IPv4 address.
I'd really appreciate your advice. I plan to drive out there tomorrow, where I can get the exact model numbers and stuff.
Regards, Dr. Edgar Carver