If you set the IPv6 Default Gateway Type to Dynamic and restrict the access to the management interface to some IPs or Networks you need to add fe80::/64 to the Permitted IP Addresses:
Comments
2 responses to “Palo Alto dynamic IPv6 Gateway”
-
This is very strange. 😂 I mean, we are talking about the link-local addresses!
Do you have any more details about that?Is IPv6 on the mgmt-interface not running at all unless you permit those LL addresses? (Which probably filters out the router advertisement?)
Or is only the ssh/https access not functional? (Maybe the neighbor solicitations are filtered out?)
-
I didn’t have time to look into it in detail, but I think the RA are sent from the link-local addresses and there is a blunt ACL on the Palos management interface. I already had a ticket open for this, but unfortunately the TAC didn’t understand me (or didn’t want to understand me), so it was never escalated 🙁
-
Leave a Reply to Mike Bressem Cancel reply