Configure Firewall IPv6 Policy

IPv6 hosts can configure themselves automatically when connected to an IPv6 network using the neighbor discovery (ND) protocol via ICMPv6 router discovery messages. These hosts require firewall packet protection unique to IPv6 traffic, as IPv6 addresses are composed of eight groups of four hexadecimal digits separated by colons. When first connected to a network, a host sends a link-local router solicitation multicast request for its configuration parameters; routers respond to such a request with a router advertisement packet that contains Internet Layer configuration parameters.

To configure or modify Firewall policy IPv6 settings:

  1. Choose from the following actions:
    • If you are in the process of configuring a new Firewall policy, proceed to the next step.

    • If you want to modify Firewall IPv6 settings, go to Policy > Wireless Firewall > Firewall Policy, then select adjacent to the policy you want to modify. Proceed to the next step, and modify the IPv6 settings in accordance with the steps in this procedure.

  2. Select the IPv6 tab.

    The IPv6 firewall provides support to IPv6 packet streams. The IPv6 Firewall setting is selected by default. Deactivating IPv6 firewall support also deactivates proxy neighbor discovery.

  3. Select IPv6 Rewrite Flow to provide flow label rewrites for each IPv6 packet.

    A flow is a sequence of packets from a particular source to a particular (unicast or multicast) destination. The flow label helps keep packet streams from looking like one massive flow. Flow label rewrites are not selected by default.

    Flow label re-writes enable the re-classification of packets belonging to a specific flow. The flow label does nothing to eliminate the need for packet filtering.

  4. Select Enable Proxy ND to generate neighbor discovery responses on behalf of another controller or service platform.

    When selected, any IPv6 packet received on an interface is parsed to see whether it is known to be a neighbor solicitation. This setting is selected by default.

  5. Under the Settings pane, configure Event parameters to activate individual IPv6 unique events, as described in IPv6 Event Parameters.
    Table 1. IPv6 Event Parameters
    Parameter Description
    Event Lists the name of each IPv6 specific event subject to logging
    Enable Select Enable to set the firewall policy to filter the associated IPv6 event based on the selection in the Action column
    Action If a filter is selected, chose an action from the drop-down list box to determine how the firewall treats the associated IPv6 event
    • Log and Drop - An entry for the associated IPv6 event is added to the log and then the packets are dropped
    • Log Only - An entry for the associated IPv6 event is added to the log. No further action is taken
    • Drop Only - The packet is dropped. No further action is taken
    Log Level Select Log Level and then select a standard log level from the Log Level drop-down list box
    Info Additional information about IPv6 settings
  6. Choose from the following actions:
    1. Select Apply to commit the configured settings.
      Note

      Note

      This does not save the settings you configured; it provides a preview of your applied settings. To undo the settings you applied, select Revert.
    2. Select Save to commit and save the configured settings.
      Note

      Note

      If you do not select Save, the settings that you configured are not saved when you move away from the configuration window.

9037761-04 Rev AA