Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo

Since IPv6 gets more and more important, I am using it by default on all my test firewalls, which of course support IPv6. However, when comparing the different functions and administration capabilities, they vary significantly.

Here comes my short evaluation of the IPv6 functions on the following four firewalls: Cisco ASA, Fortinet FortiGate, Juniper SSG, and Palo Alto.

Criteria

I was merely interested in the basic IPv6 usage and not in the typical firewall categories:

  • Interface: IPv6 address and link-local address configurable?
  • Router Advertisement and DHCPv6: Whether the firewalls support nothing (–), only RA (-), DHCPv6 relay (ο), stateless DHCPv6 (+), or stateful DHCPv6 (++). The existence of stateless DHCPv6 is vital for delivering the DNS server IPv6 addresses to the clients. (The “IPv6 Router Advertisement Options for DNS Configuration”, RFC 6106, is not supported by any of these devices.)
  • Security Policy: Whether IPv4 and IPv6 addresses can be used in the same policy and whether address groups can have objects from both protocols.
  • Administration: How easy are the IPv6 functions to manage? Only via the CLI (–), fifty-fifty (ο), GUI but complicated (+) , or fully via the GUI (++).

Results

These are the results. They range from — via ο to ++.

 Cisco ASAFortinet
FortiGate
Juniper
ScreenOS
Palo Alto
Version9.2(3)5.2.26.3.0r18.06.1.3
Interface+++++++
RA, DHCPv6-+++ο
Security
Policy
++----++
Administration+--+++

Details

Cisco ASA

The Cisco ASA has no DHCPv6 instance running. That is: there is no way to run an IPv6-only network because clients won’t get the DNS server. The security policy is capable of both protocols. Everything is configurable via the GUI, which is not the best at all.

Fortinet FortiGate

The FortiGate is the only firewall with a stateful DHCPv6 server. Great. However, two distinct security policies must be used and nothing of the IPv6 settings are configurable via the GUI. WHAT???

Juniper SSG (ScreenOS)

ScreenOS is dead. However, most of the IPv6 functions are working quite good, except the protocol dependent security policies. Everything is accessible via the GUI, but sometimes on confusing positions.

Palo Alto

Palo Alto did a good job on the IPv6 interfaces and security policies. The GUI is quite intuitive and the policy accepts both protocols at the same time. Unluckily, there is no DHCPv6 server which makes it impossible to operate an IPv6-only client network behind a Palo Alto (without further servers).

Conclusion

It’s interesting to see the differences between those firewalls. While the Fortinet und Juniper firewalls support the whole SLAAC process incl. DNS servers, they have no single security policy for both protocols and are horrable to configure.

The Palo Alto is quite good to configure but lacks the DHCPv6 server. Same for the Cisco.

In summary, all firewalls position in the middle of my scale. From an IPv6-only view, I cannot say which one is the best. It depends….

4 thoughts on “Firewall IPv6 Capabilities: Cisco, Forti, Juniper, Palo

  1. Cisco was behind on network security for a long time when it came to firewalls. They attempted to create their own version of Next Generation Firewalls which didn’t quiet make it; however, with the acquisition of Sourcefire Cisco stepped up their game. Cisco didn’t waste time and started integrating Sourcefire with the ASA which is a winning combination. Cisco has a vast install in the network security market and incorporating Sourcefire with the ASA is a win-win for many reasons:

    You can still use the Cisco ASA configuration that you are trained on and benefit from many features based on legacy firewalling (protocol / port).
    Your staff wouldn’t need to relearn a new solution from scratch.
    Your VPN which your employees and vendors relied on for a long time doesn’t need to be redone which is a big headache if you rely on VPN heavily in your operation.
    You can easily integrate Next Generation features into your existing setup without major reconfiguration.

    Features Comparison between PaloAlto and Cisco Next Generation Firewall

    Feature
    Cisco
    PaloAlto

    Application Visilibty
    Yes
    Yes

    Stateful Firewalling
    Yes
    Yes

    IPS functionality
    Yes
    Yes

    IPSec VPN
    Yes
    Yes

    IPSec VPN tunnel interfaces
    No
    Yes

    SSL VPN
    Yes – Full SSL vpn
    Yes – limited

    Dynamic Routing – RIP
    Yes
    Yes

    Dynamic Routing – OSPF
    Yes
    Yes

    Dynamic Routing – BGP
    Yes (VERSION 9.4)
    Yes

    Policy based routing
    Yes – limited
    Yes – far superior

    Dynamic routing over tunnel interfaces
    No
    Yes – far superior

    AntiVirius protection
    Yes – based on Snort Sigs
    Yes – proprietary

    Advanced Malware Protection
    Yes – Sandboxing / Croudsourcing
    Yes – Sandboxing / Croudsourcing

    Sandboxing
    Yes – FireAmp and AMP
    Yes – Wildfire

    URL Filtering
    Yes
    Yes

    SSL Decryption
    Yes – additional appliance
    Yes – built in

    Overall Compliance Visibility
    Yes
    No

    As you can see there are many feature parity between the two products; however, Cisco has many advantages:
    1. Cisco as you know pretty much controls the Routing and Switching space.
    2. Cisco has the advantage of integrating Cisco Sourcefire with Cisco ISE for end to end security

    Check my Udemy class that explores the Cisco Sourcefire solution features. This class explores many advanced features of Cisco Sourcefire solution

  2. Not sure if you realize this but you can config IPv6 on FortiGates from the GUI.

    It’s disabled by default as not many people use it, so saves on screen clutter.

    To enable it goto System > Config > Features and enable+apply IPv6. There’s an additional option to enable NAT46 & NAT64 in the GUI from this page too.

    1. Hi Allan,

      yes, I know this button and enabled it. But unfortunately this gives only very basic possibilities for IPv6 configuration. Only the static IPv6 address can be configured, but nothing link Router Advertisements, DHCPv6, OSPFv3, etc.

Leave a Reply

Your email address will not be published. Required fields are marked *