Deploy Edge SWG as an IPv6 Transitional Device
search cancel

Deploy Edge SWG as an IPv6 Transitional Device

book

Article ID: 165641

calendar_today

Updated On:

Products

Mobility Threat Protection ProxySG Software - SGOS

Issue/Introduction

 

To deploy ProxySG as an IPv6 transitional device, the ProxySG needs to be able to understand both IPv4 and IPv6.  Therefore, the ProxySG needs to be configured with both IPv4 and IPv6. The following steps are typically required for any IPv6 deployment.

After this basic configuration, refer to the appropriate IPv6 deployment type:

Deploy SGOS IPv6 Proxy as a Reverse Proxy Appliance

Deploy SGOS IPv6 Proxy as an Explicit Forward Proxy Appliance in the Internet Gateway

Deploy SGOS IPv6 Proxy in a Transparent Deployment

Use IPv6 Connection Forwarding Clusters

Use Multiple Edge SWG Devices to Provide Failover in an IPv6 Environment
 

Resolution

  1.  Configure Edge SWG with both IPv4 and IPv6 addresses. All interfaces on the Edge SWG are already configured to auto-generate a linklocal IPv6 address. This provides a starting point for IPv6 connectivity in the same network segment. However, a proxy typically needs to have a global IPv6 address to reach beyond the first hop router. This requires the user to enter a global IPv6 address:

    #(config interface 0:0)ip-address <ipv6-address> <prefix-len>

    In IPv4, the default subnet mask is 255.255.255.0; in IPv6, the default prefix length is 64.  It is possible to have a prefix length other than 64 bits.
     
  2. Configure IPv6 default gateway:

    #(config)ip-default-gateway <ipv4 or ipv6 address>

    The default gateway can be a global or link-local address. For link-local address, the Edge SWG uses the “adapter:interface” format to indicate the scope id. For example, if the router’s linklocal address is “fe80::1” and is local to the interface “1:0” on the Edge SWG, the syntax to add this router as the default gateway is:

    #(config)ip-default-gateway fe80::1%1:0  

    This scope id format applies to any other CLI commands where a link-local address can be accepted.
     
  3. Configure DNS server.  The DNS server needs to be able to respond to IPv6 queries, also known as AAAA queries.  This should not be confused with the DNS server to be listening on the IPv6 address, which is not a requirement.  For example, Google Inc’s public DNS server 8.8.8.8 is only listening on IPv4 address, but is capable of serving both A and AAAA queries. On the Edge SWG, both IPv4 and IPv6 DNS server address format can be supported with the same CLI command:

    #(config)dns-forwarding
    #(config dns-forwarding)edit primary
    #(config dns-forwarding primary)add server <ipv4 or ipv6 address>

    The actual DNS query method is controlled by the policy.  It is important to note that using an IPv6 DNS address does not automatically make Edge SWG send out AAAA queries to that DNS server.  There are four different DNS lookup methods supported by Edge SWG: ipv4-only, ipv6-only, prefer-ipv6 and prefer-ipv4.  These are the policy triggers that can be used as shown here:

    <Proxy>
    server_url.dns_lookup(prefer-ipv6)


    By default, the Edge SWG uses “prefer-ipv4” as its DNS lookup method.