On 7/5/16, Naslund, Steve <SNaslund@medline.com> wrote:
Did you get the impression that this person asking for help was going to be able to set that up?
Yes, I think the OP could create & apply the acl. Which is why I said it could break their network & suggested they get Cisco tech support on the phone to figure out how to safely turn off IPv6. I'm also giving them the benefit of the doubt that IPv6 really is the malware infection vector.
I didn't (if he was he would probably already know what an ACL is). I do not know if the Catalyst he is looking at is his or his service providers edge devices (or maybe the consultants didn't give them access to that either), I don't know that that Catalyst is the primary router for their network (could be an L2 switch behind the firewall). I also doubt the problem stems from ipv6 as much as it comes from having an out of control firewall. Given what I am hearing about this network I am kind of doubting that it is really ipv6 enabled in any case so your fix prevents ipv6 traffic that is probably not even being routed in the first place. In my opinion not having control of your own firewall is the five alarm emergency in that network right now.
Maybe I wasn't clear that the call to Cisco tech support should be a parallel effort?
If the network is ipv6 enabled, blocking all ipv6 traffic at that router is probably not a good idea without knowing more.
Which is why I suggested getting Cisco tech support involved. A mailing list is not where they should be going for help right now. Best Regards, Lee
... If it is not ipv6 enabled then it will have no effect on the reported issue (malware).
Steven Naslund Chicago IL
Right. But how long is it going to take to secure the Palo Alto firewall? If the central Cisco Catalyst really is an IPv6 router, doing a conf t ipv6 access-list denyIPv6 deny ipv6 any any
interface [whatever connects to the ISP] ipv6 traffic-filter denyIPv6 in ipv6 traffic-filter denyIPv6 out end would be a quick fix for the firewall not doing any ipv6 filtering. It could also break ipv6 enabled web sites or even internal connectivity, so it'd be better to get someone on the phone w/ Cisco tech support and have Cisco figure out the best way to block IPv6 for you.
True. But they're in "stop the bleeding" mode and disabling ipv6 is just a temp work-around until the firewall is fixed.