Enabling IPv6 in Check Point Firewalls

The following describes the basic steps involved in enabling IPv6 on selected Check Point Firewall products. There are several other families of firewall products manufactured by Check Point, and this article does not attempt to cover them. See this Appliance Comparison Chart for information about other Check Point firewall products, and this Downloads & Documentation listing for information about additional Check Point security products.

SecurePlatform

Consider upgrading the SecurePlatform OS to GAiA before enabling IPv6. See the Issues encountered when upgrading from SecurePlatform to Gaia for details.

 IPSO Appliance

Consider upgrading the IPSO Appliance OS to GAiA before enabling IPv6. See the Upgrading to GAiA Reference for details.

 GAiA Security Gateway

 To enable IPv6 on a GAiA Security Gateway:

 In the WebUI, go to the System Management > System Configuration page

1. Select the IPv6 Support > On option
2. Reboot the Security Gateway
3. Use the WebUI or the CLI to enable and configure the applicable interfaces for IPv6
4. Use the WebUI or the CLI to configure IPv6 static routes

Configuring GAiA For the First Time describes, among other options, the command lines used to enable IPv6 on specified interfaces of a Check Point GAiA Security Gateway in detail.

A complete reference manual documenting GAiA configuration options is available here on the Check Point website. A separate chapter in that manual provides numerous examples and gives a detailed explanation of options specific to IPv6. An IPv6-specific Frequently Asked Questions (FAQ) file is maintained by Check Point.

Disabling IPv6 in the GAiA Security Gateway

To disable IPv6 on an IPv6-enabled GAiA Security Gateway:

1. In the WebUI, go to the System Management > System Configuration page
2. Select the IPv6 Support > Off option
3. Reboot the Security Gateway

The following references describe the basic steps involved in enabling Internet Protocol version 6 (IPv6) firewalls on various Linux distributions. There are many distributions of Linux, and this article does not attempt to cover all of them.

Several distributions of Linux use netfilter/ip6tables to implement a Linux-based firewall. An understanding of iptables and how it configures the netfilter tables residing in the Linux kernel is a prerequsite for the use of ip6tables. The syntax of ip6tables is identical to iptables except that ip6tables supports the 128-bit addresses used by IPv6. Many references for iptables are available on netfilter.org. ip6tables is described in detail here. This article provides an overview and examples of ip6tables rules for IPv6.

Among the “user-friendly” frontends developed to make the use of iptables easier, only a few support ip6tables. UncomplicatedFirewall (UFW) and its graphical frontend GUFW do, as does Shorewall6.

The SixXS website (archived circa Sept 2013) describes the use of ip6tables on Debian/Ubuntu. It also describes the use of pf, ipfw, and ipf on FreeBSD, and the use of pf on OpenBSD. ipfw is described in more detail here. pf is described in more detail here.

The Utah Center for High Performance Computing website (archived circa Apr 2016) describes the use of ip6tables on Red Hat Enterprise Linux (RHEL) 5 and RHEL 6.

The nixCraft website gives examples of the use of ip6tables on several Linux distributions, including Debian, Ubuntu, Fedora, RedHat, and CentOS. It also describes the use of pf on FreeBSD, OpenBSD, and NetBSD.

This Configuring the SuSE Firewall article documents the use of the Yet another Setup Tool (YaST) command to configure the iptables firewall for IPv4 in the openSUSE and SUSE Linux Enterprise Server (SLES) kernels. This SuSEfirewall2 article further documents the use of YAST and documents IPv6-specific options and limitations of YAST and the ip6tables firewall in the openSUSE and SLES kernels.

The above are just a few of the available references describing the basic steps involved in enabling IPv6 on a Linux-based firewall. The organization that supports your Linux distribution is another resource. The man pages for iptables, ip6tables, pf, ipfw, and ipf on your Linux system are also resources.

Enabling IPv6

The Application Firewall in Apple macOS (all versions), OS X (all versions) and Mac OS X (versions 10.5 Leopard and later) is Internet Protocol (IP)-agnostic. It requires no configuration changes to support IP version 6 (IPv6), and filtering rules apply equally to IPv4 and IPv6. It is turned off by default. This Application Firewall is based on the TrustedBSD MAC Firewall in FreeBSD. This article describes how to turn it on and configure it. The port-oriented Application Firewall found in Mac OS X (versions 10.2 Jaguar through 10.4 Tiger) was also IP-agnostic and turned off by default. This article describes how to turn it on and configure it. The Application Firewall was originally called the Application Layer (or Level) Firewall, or ALF.

Although the Application Firewall user interface only supports filtering of incoming packets, the underlying packet filter can be configured to filter outgoing packets. It can also be configured to enable IP-specific filtering.

Historically, the ipfw packet filter (and its replacement ipfw2 introduced in OS X 10.4 Tiger and also called ipfw) had been part of OS X since before it was OS X. ipfw is the same packet filter used by many Linux distributions and had its origins in FreeBSD. ipfw was deprecated in OS X 10.7 Lion and removed in OS X 10.10 Yosemite.

Then, the pf packet filter was introduced in OS X 10.7 Lion, updated in OS X 10.8 Mountain Lion and remained part of OS X (versions 10.9 Maverick and later). pf is the same packet filter used by many Linux distributions and had its origins in OpenBSD. The use of pf is described in this article. The OpenBSD pf is documented in more detail here. pf is controlled by the pfctl command. The use of pf and pfctl are described in this article. The OpenBSD pfctl is documented in more detail here.

macOS (all versions) includes that same pf packet filter and pfctl command used by OS X (versions 10.9 Maverick and later). The use of pf and pfctl in macOS is described in this article. Filtering outgoing packets is described here. References for OpenBSD pf and pfctl documents in the previous paragraph apply.

[Note: Apple no longer maintains man pages for software in OS X or Mac OS X on their website.] The man pages on your local system are resources.

Disabling IPv6

Rather than disabling IPv6 in the pf firewall, it is a better practice to disable IPv6 at the system level. See the Disabling IPv6 in Apple macOS, OS X and Mac OS X article in the IP Transport section.

Enabling IPv6 in Microsoft Windows-based Firewalls

Most of the settings available in the basic Windows Firewall are IP-agnostic, so filtering rules apply equally to IPv4 and IPv6. This has been the case since the Windows Firewall became IPv6-aware in Windows XP Service Pack 2. Even in Windows Firewall with Advanced Security, most filtering rules are still either port-oriented (specified IP ports) or application-oriented (specified applications that use those ports).

The predefined Inbound and Outbound Rules are IP-agnostic by default. Only Scope Settings made when configuring custom Inbound or Outbound Rules will be IP-protocol specific (specified IPv4 or IPv6 addresses or address ranges in the Scope Settings tab). Making Scope Settings in different Microsoft Windows versions is done as follows:

XP is shown here,
XP SP2 and SP3 is shown here,
Vista is shown here,
Windows 7 is shown here,
Windows 8/8.1 is shown here,
and Windows 10/11 is shown here and here.

Documentation for Scope Settings in different Microsoft Windows versions is available as follows:

XP SP2 and SP3 is available here,
Vista, Server 2008, Windows 7, and Server 2008 R2 is available here,
Windows Server 2012 is available here, and
Windows Server 2016 (and later) and Windows 8 (and later) is available here.

Disabling IPv6 in Microsoft Windows-based Firewalls

Rather than disabling IPv6 in the firewall (for the few individual custom Inbound or Outbound Rules that may have been configured as IP-protocol specific), it is a better practice to selectively disable it in the operating system. See the “Disabling IPv6 in Microsoft Windows” article for the appropriate version of Windows in the IP Transport section.