NG Firewalls & IPv6
All, At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret. Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category. To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories? If you prefer not to disparage those poor product companies, please contact me off the list. Thanks, Joe Klein "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
I’ve been doing dual stack through Fortinet products for many years without issue. Well, no issue from a technical perspective. Sometimes you have to dig for a bit to find the equivalent v6 CLI commands, and occasionally there’s GUI stuff missing that requires CLI where the v4 equivalent didn’t, but not a bad experience overall. Does v6 vpn’s great too. Haven’t delved into dynamic routing protocols on them so can’t speak to that. Happy to answer questions. David ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Joe Klein <jsklein@gmail.com> Sent: Monday, April 2, 2018 6:58:14 PM To: NANOG list Subject: NG Firewalls & IPv6 All, At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret. Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category. To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories? If you prefer not to disparage those poor product companies, please contact me off the list. Thanks, Joe Klein "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
Done Checkpoint, Netscreen, SRX , iptables, nftables IPv6 FW all with dynamic routing, but only under extreme duress, like I'm sure everyone who is forced to touch stateful firewalls. Send help. Seems to me this has mostly worked for over decade, worked in context where stateful FW can be said to work at all. Of course like in every other context, IPv6 is second class citizen, so you're going to find more bugs, as less people are using the feature, there are less people doing bug scrubbing and fewer people bridging feature gaps. This isn't going to go away any time soon. On 3 April 2018 at 03:28, David Hubbard <dhubbard@dino.hostasaurus.com> wrote:
I’ve been doing dual stack through Fortinet products for many years without issue. Well, no issue from a technical perspective. Sometimes you have to dig for a bit to find the equivalent v6 CLI commands, and occasionally there’s GUI stuff missing that requires CLI where the v4 equivalent didn’t, but not a bad experience overall. Does v6 vpn’s great too. Haven’t delved into dynamic routing protocols on them so can’t speak to that. Happy to answer questions.
David ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Joe Klein <jsklein@gmail.com> Sent: Monday, April 2, 2018 6:58:14 PM To: NANOG list Subject: NG Firewalls & IPv6
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
-- ++ytti
If by NextGen you meant performance, then I recommend to have a look at kipfw over Netmap driver on a FreeBSD 11 box. You buy a couple of Chelsio 40 Gbps or 100 Gbps NIC and you are in business. It was mentioned here in NANOG couple of years ago. Very good stuff, but you will need to invest a bit of time in writing your own scripts. It's a kind of bridging firewall though, so you can't route through it IIRC. If by NextGen you meant features riched, then don't go this way. ;) Jean On 04/03/2018 06:16 AM, Saku Ytti wrote:
Done Checkpoint, Netscreen, SRX , iptables, nftables IPv6 FW all with dynamic routing, but only under extreme duress, like I'm sure everyone who is forced to touch stateful firewalls. Send help.
Seems to me this has mostly worked for over decade, worked in context where stateful FW can be said to work at all. Of course like in every other context, IPv6 is second class citizen, so you're going to find more bugs, as less people are using the feature, there are less people doing bug scrubbing and fewer people bridging feature gaps. This isn't going to go away any time soon.
On 3 April 2018 at 03:28, David Hubbard <dhubbard@dino.hostasaurus.com> wrote:
I’ve been doing dual stack through Fortinet products for many years without issue. Well, no issue from a technical perspective. Sometimes you have to dig for a bit to find the equivalent v6 CLI commands, and occasionally there’s GUI stuff missing that requires CLI where the v4 equivalent didn’t, but not a bad experience overall. Does v6 vpn’s great too. Haven’t delved into dynamic routing protocols on them so can’t speak to that. Happy to answer questions.
David ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Joe Klein <jsklein@gmail.com> Sent: Monday, April 2, 2018 6:58:14 PM To: NANOG list Subject: NG Firewalls & IPv6
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
Hey Joe, I don't know how next-gen they'd be considered, but I've had reasonably good luck with Cisco ASA (v9+), and to a lesser degree Juniper ScreenOS (v6.3+). Modern-ish ASA does v6-only pretty well; ScreenOS has more v4-dependent nuances, that I've found. I do like the NAT64 support in ASA (although it sadly doesn't support the Well-Known Prefix) -- no love in ScreenOS, as far as I've ever found. - Jima
On Apr 2, 2018, at 16:58, Joe Klein <jsklein@gmail.com> wrote:
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
We've deployed about a dozen Sophos SG and XG firewalls with IPv6 on WAN, LAN and VPN with great success. The XG is the firmware with the more modern appearance and a couple latest-gen features. But the SG is just as "next gen" and still has good IPv6 capability. -- Adam Kennedy, Network & Systems Engineer adamkennedy@watchcomm.net *Watch Communications* (866) 586-1518 On Wed, Apr 4, 2018 at 1:44 AM, Jima <nanog@jima.us> wrote:
Hey Joe,
I don't know how next-gen they'd be considered, but I've had reasonably good luck with Cisco ASA (v9+), and to a lesser degree Juniper ScreenOS (v6.3+). Modern-ish ASA does v6-only pretty well; ScreenOS has more v4-dependent nuances, that I've found.
I do like the NAT64 support in ASA (although it sadly doesn't support the Well-Known Prefix) -- no love in ScreenOS, as far as I've ever found.
- Jima
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
On Apr 2, 2018, at 16:58, Joe Klein <jsklein@gmail.com> wrote:
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene
Just don't plan on using dhcp-pd on any of those anytime soon. My understanding is that it is not even on the roadmap or even considered to have a need for it even though people have been wanting it for quite a while. Robert -----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Adam Kennedy via NANOG Sent: Wednesday, April 4, 2018 11:27 AM To: NANOG list <nanog@nanog.org> Subject: Re: NG Firewalls & IPv6 We've deployed about a dozen Sophos SG and XG firewalls with IPv6 on WAN, LAN and VPN with great success. The XG is the firmware with the more modern appearance and a couple latest-gen features. But the SG is just as "next gen" and still has good IPv6 capability. -- Adam Kennedy, Network & Systems Engineer adamkennedy@watchcomm.net *Watch Communications* (866) 586-1518 On Wed, Apr 4, 2018 at 1:44 AM, Jima <nanog@jima.us> wrote:
Hey Joe,
I don't know how next-gen they'd be considered, but I've had reasonably good luck with Cisco ASA (v9+), and to a lesser degree Juniper ScreenOS (v6.3+). Modern-ish ASA does v6-only pretty well; ScreenOS has more v4-dependent nuances, that I've found.
I do like the NAT64 support in ASA (although it sadly doesn't support the Well-Known Prefix) -- no love in ScreenOS, as far as I've ever found.
- Jima
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
On Apr 2, 2018, at 16:58, Joe Klein <jsklein@gmail.com> wrote:
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene
We run PaloAlto dual stack with no problems at all, that’s full dynamic routing with OSPF and BGP, web filtering, IPS, VPN access using GlobalProtect, etc. I must admit GlobalProtect IPv6 support was only introduced in PanOS 8 which was a little late in my opinion – but it was delivered and works. Dan Kitchen Managing Director razorblue | IT Solutions for Business ddi:0330 122 7143 | t: 0333 344 6 344 | e: dkitchen@razorblue.com<mailto:dkitchen@razorblue.com> | w: razorblue.com Legal and address information for all Razorblue Group companies can be found at www.razorblue.com/contact. From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Joe Klein Sent: 02 April 2018 23:58 To: NANOG list <nanog@nanog.org> Subject: NG Firewalls & IPv6 WARNING: This e-mail originated from outside the Razorblue Group corporate network All, At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret. Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category. To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories? If you prefer not to disparage those poor product companies, please contact me off the list. Thanks, Joe Klein "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
Also, IPv6 BGP support was only introduced in PanOS 8. But everything works fine here too. On Wed, Apr 04, 2018 at 10:47:45AM +0000, Dan Kitchen wrote:
We run PaloAlto dual stack with no problems at all, that’s full dynamic routing with OSPF and BGP, web filtering, IPS, VPN access using GlobalProtect, etc.
I must admit GlobalProtect IPv6 support was only introduced in PanOS 8 which was a little late in my opinion – but it was delivered and works.
Dan Kitchen Managing Director razorblue | IT Solutions for Business
ddi:0330 122 7143 | t: 0333 344 6 344 | e: dkitchen@razorblue.com<mailto:dkitchen@razorblue.com> | w: razorblue.com
Legal and address information for all Razorblue Group companies can be found at www.razorblue.com/contact.
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Joe Klein Sent: 02 April 2018 23:58 To: NANOG list <nanog@nanog.org> Subject: NG Firewalls & IPv6
WARNING: This e-mail originated from outside the Razorblue Group corporate network
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
We've been using DHCP-PD with Sophos SG/XG on a couple Comcast connections and it works fine. It will even go through all your firewall objects and automatically change the IPv6 prefix from the old to new if the prefix from PD changes. -- Adam Kennedy, Network & Systems Engineer adamkennedy@watchcomm.net *Watch Communications* (866) 586-1518 On Wed, Apr 4, 2018 at 2:41 PM, Chuck Anderson <cra@wpi.edu> wrote:
Also, IPv6 BGP support was only introduced in PanOS 8. But everything works fine here too.
On Wed, Apr 04, 2018 at 10:47:45AM +0000, Dan Kitchen wrote:
We run PaloAlto dual stack with no problems at all, that’s full dynamic routing with OSPF and BGP, web filtering, IPS, VPN access using GlobalProtect, etc.
I must admit GlobalProtect IPv6 support was only introduced in PanOS 8 which was a little late in my opinion – but it was delivered and works.
Dan Kitchen Managing Director razorblue | IT Solutions for Business
ddi:0330 122 7143 | t: 0333 344 6 344 | e: dkitchen@razorblue.com <mailto:dkitchen@razorblue.com> | w: razorblue.com
Legal and address information for all Razorblue Group companies can be found at www.razorblue.com/contact.
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Joe Klein Sent: 02 April 2018 23:58 To: NANOG list <nanog@nanog.org> Subject: NG Firewalls & IPv6
WARNING: This e-mail originated from outside the Razorblue Group corporate network
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
Really?? I was looking to install and use as a vm to test with and everything I was reading said it was not implemented and was not on the horizon. Only version I found from Sophos that was capable was the old Astaro version. I may have to take a second look. Do you have any links to the configuration from their site you could send off list? Or on list if anyone else is interested. Thanks, Robert -----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Adam Kennedy via NANOG Sent: Thursday, April 5, 2018 11:46 AM To: NANOG list <nanog@nanog.org> Subject: Re: NG Firewalls & IPv6 We've been using DHCP-PD with Sophos SG/XG on a couple Comcast connections and it works fine. It will even go through all your firewall objects and automatically change the IPv6 prefix from the old to new if the prefix from PD changes. -- Adam Kennedy, Network & Systems Engineer adamkennedy@watchcomm.net *Watch Communications* (866) 586-1518 On Wed, Apr 4, 2018 at 2:41 PM, Chuck Anderson <cra@wpi.edu> wrote:
Also, IPv6 BGP support was only introduced in PanOS 8. But everything works fine here too.
On Wed, Apr 04, 2018 at 10:47:45AM +0000, Dan Kitchen wrote:
We run PaloAlto dual stack with no problems at all, that’s full dynamic routing with OSPF and BGP, web filtering, IPS, VPN access using GlobalProtect, etc.
I must admit GlobalProtect IPv6 support was only introduced in PanOS 8 which was a little late in my opinion – but it was delivered and works.
Dan Kitchen Managing Director razorblue | IT Solutions for Business
ddi:0330 122 7143 | t: 0333 344 6 344 | e: dkitchen@razorblue.com <mailto:dkitchen@razorblue.com> | w: razorblue.com
Legal and address information for all Razorblue Group companies can be found at www.razorblue.com/contact.
From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Joe Klein Sent: 02 April 2018 23:58 To: NANOG list <nanog@nanog.org> Subject: NG Firewalls & IPv6
WARNING: This e-mail originated from outside the Razorblue Group corporate network
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
I've used pfSense (BSD firewall) in a dual stack setup. Not all features are at parity with v4 (the captive portal doesn't support v6, for example), but the core features of stateful firewall, DHCPv6, etc seemed to work without any fuss. Joe Klein wrote on 4/2/2018 5:58 PM:
All,
At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret.
Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category.
To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories?
If you prefer not to disparage those poor product companies, please contact me off the list.
Thanks,
Joe Klein
"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8
I’ve been using PfSense @ home dual-stack on Cox for a year or two. As far as I can tell any IPv6 problems are Cox issues. On Apr 5, 2018, at 12:12 PM, Blake Hudson <blake@ispn.net<mailto:blake@ispn.net>> wrote: I've used pfSense (BSD firewall) in a dual stack setup. Not all features are at parity with v4 (the captive portal doesn't support v6, for example), but the core features of stateful firewall, DHCPv6, etc seemed to work without any fuss. Joe Klein wrote on 4/2/2018 5:58 PM: All, At security and network tradeshows over the last 15 years, I have asked companies if their products supported "IPv6". They all claimed they did, but were unable to verify any successful installations. Later they told me it was on their "Roadmap" but were unable to provide an estimated year, because it was a trade secret. Starting this last year at BlackHat US, I again visited every product booth, asking if their products supported dual-stack or IPv6 only operations. Receiving only the same unsupported answers, I decided to focus on one product category. To the gurus of the NANOG community, What are your experiences with installing and managing Next Generations firewalls? Do they support IPv6 only environments? Details? Stories? If you prefer not to disparage those poor product companies, please contact me off the list. Thanks, Joe Klein "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1) PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8 --- Keith Stokes
participants (11)
-
Adam Kennedy -
Blake Hudson -
Chuck Anderson -
Dan Kitchen -
David Hubbard -
Jean | ddostest.me -
Jima -
Joe Klein -
Keith Stokes -
Robert Webb -
Saku Ytti