Firewall Policy IPv6 Settings

Before you begin

Use the Advanced Settings → IPv6 Settings tab to define settings unique to an IPv6 firewall.

Procedure

  1. Select the IPv6 Settings tab.
    Click to expand in new window
    Wireless Firewall - Add/Edit - Advanced Settings - IPv6 Settings Tab
  2. Refer to the IPv6 Firewall Enable option to provide firewall support to IPv6 packet streams.
    This setting is enabled by default. Disabling IPv6 firewall support also disables proxy neighbor discovery.

    IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed uniquely of eight groups of four hexadecimal digits separated by colons.

  3. Select IPv6 Rewrite Flow Label to provide flow label rewrites for each IPv6 packet.
    A flow is a sequence of packets from a particular source to a particular (unicast or multicast) destination. The flow label helps keep packet streams from looking like one massive flow. Flow label rewrites are disabled by default and must be manually enabled.

    Flow label re-writes enable the re-classification of packets belonging to a specific flow. The flow label does nothing to eliminate the need for packet filtering. This setting is disabled by default.

  4. Select Enable Proxy ND to generate neighbor discovery responses on behalf of another controller, service platform or Access Point managed device.
    When enabled, any IPv6 packet received on an interface is parsed to see whether it is known to be a neighbor solicitation. This setting is enabled by default.
  5. Use the Event table to enable individual IPv6 unique events.
    IPv6 events can be individually enabled or collectively enabled/disabled using the Enable All Events and Disable All Events buttons. The Description area displays a brief description of the selected event.
    Event The Event column lists the name of each IPv6 specific event subject to logging.
    Enable Checking Enable sets the firewall policy to filter the associated IPv6 event based on the selection in the Action column.
    Action If a filter is enabled, chose an action from the drop-down menu to determine how the firewall treats the associated IPv6 event.
    • Log and Drop - An entry for the associated IPv6 event is added to the log and then the packets are dropped.
    • Log Only - An entry for the associated IPv6 event is added to the log. No further action is taken.
    • Drop Only - The packet is dropped. No further action is taken.
    Log Level To enable logging to the system log, check the box in the Log Level column. Then select a standard Syslog level from the Log Level drop-down menu.
  6. Select OK to update the firewall policy's advanced IPv6 settings.
    Select Reset to revert to the last saved configuration.

Results

Example

What to do next