Technical Tip: How to apply UTM to NAT64 traffic
Description
UTM is not available on NAT64 policies, so a native IPv6 VDOM is required.
This article describes how to apply UTM to NAT64 traffic.
Solution
To accomplish UTM filtering, use VDOMs:
IPv6 VDOM, using simple IPv6 policies with UTM profiles and routing traffic to the VDOM with access to IPv4 Internet using an IPv6 vdom-link.
In the VDOM with IPv4 Internet access apply NAT64 policies.
Initial considerations:
- Vdom root has Internet access.
- Vdom TransIPv6 is the VDOM with native IPv6 networks/support.
- Some configuration on interfaces are omitted as it depends on platform (physical or VLAN interface).
- Create a transit VDOM
# config vdom
edit TransIPv6
end
- Create Inter-VDOM link
# config global
# config vdom
edit TransIPv6
config system dhcp6 server
edit 1
set rapid-commit enable
set lease-time 300
set interface "LAN"
config ip-range
edit 1
set start-ip 2001:470:4b:37c::1000
set end-ip 2001:470:4b:37c::100a
next
end
set dns-server1 2001:470:4b:37c:1000::2
next
end
config router static6
edit 1
set gateway 2001:470:4b:37c:1000::2
set device "ip640"
next
end
# config firewall policy6
edit 1
set srcintf "LAN"
set dstintf "ip640"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set webfilter-profile "myWebFilter"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
next
edit 2
set srcintf "ip640"
set dstintf "DMZ"
set srcaddr "all"
set dstaddr "my_6server"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ips-profile "protect_server"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
next
end
end
- Configure root VDOM network settings
# config vdom
edit root
config system nat64
set status enable
end
config system dns-server
edit "ip641"
next
end
config firewall address6
edit "l_IPv6"
set ip6 2001:470:4b:37c::/72
next
end
config firewall ippool
edit "nat64_pool"
set type port-block-allocation
set startip 201.123.235.10
set endip 201.123.235.50
next
end
config router static6
edit 1
set dst 2001:470:4b:37c::/72
set gateway 2001:470:4b:37c:1000::1
set device "ip641"
next
end
# config firewall policy64
edit 1
set srcintf "ip641"
set dstintf "WAN"
set srcaddr "l_IPv6"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "nat64_pool"
next
end
# config firewall policy64
edit 1
set srcintf "WAN"
set dstintf "ip641"
set srcaddr "all"
set dstaddr "server_VIP64"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end
UTM is not available on NAT64 policies, so a native IPv6 VDOM is required.
This article describes how to apply UTM to NAT64 traffic.
Solution
To accomplish UTM filtering, use VDOMs:
IPv6 VDOM, using simple IPv6 policies with UTM profiles and routing traffic to the VDOM with access to IPv4 Internet using an IPv6 vdom-link.
In the VDOM with IPv4 Internet access apply NAT64 policies.
Initial considerations:
- Vdom root has Internet access.
- Vdom TransIPv6 is the VDOM with native IPv6 networks/support.
- Some configuration on interfaces are omitted as it depends on platform (physical or VLAN interface).
- Create a transit VDOM
# config vdom
edit TransIPv6
end
- Create Inter-VDOM link
# config global
# config system vdom-link- Configure Transit VDOM network settings
edit "ip64"
next
end
# config system interface
edit "ip640"
set vdom "TransIPv6"
set type vdom-link
config ipv6
set ip6-allowaccess ping
set ip6-address 2001:470:4b:37c:1000::1/72
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2001:470:4b:37c::/64
next
end
end
next
edit "ip641"
set vdom "root"
set type vdom-link
config ipv6
set ip6-allowaccess ping
set ip6-address 2001:470:4b:37c:1000::2/72
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2001:470:4b:37c::/64
next
end
end
next
edit "LAN"
set vdom "TransIPv6"
config ipv6
set ip6-allowaccess ping
set ip6-address 2001:470:4b:37c::1/72
set ip6-send-adv enable
set ip6-manage-flag enable
set ip6-other-flag enable
config ip6-prefix-list
edit 2001:470:4b:37c::/72
next
end
end
next
edit "WAN"
set vdom "root"
set ip 201.123.235.1 255.255.255.0
set allowaccess ping https
set vlanforward enable
set type physical
set snmp-index 31
next
end
# config vdom
edit TransIPv6
config system dhcp6 server
edit 1
set rapid-commit enable
set lease-time 300
set interface "LAN"
config ip-range
edit 1
set start-ip 2001:470:4b:37c::1000
set end-ip 2001:470:4b:37c::100a
next
end
set dns-server1 2001:470:4b:37c:1000::2
next
end
config router static6
edit 1
set gateway 2001:470:4b:37c:1000::2
set device "ip640"
next
end
# config firewall policy6
edit 1
set srcintf "LAN"
set dstintf "ip640"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set webfilter-profile "myWebFilter"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
next
edit 2
set srcintf "ip640"
set dstintf "DMZ"
set srcaddr "all"
set dstaddr "my_6server"
set action accept
set schedule "always"
set service "ALL"
set utm-status enable
set ips-profile "protect_server"
set profile-protocol-options "default"
set ssl-ssh-profile "certificate-inspection"
next
end
end
- Configure root VDOM network settings
# config vdom
edit root
config system nat64
set status enable
end
config system dns-server
edit "ip641"
next
end
config firewall address6
edit "l_IPv6"
set ip6 2001:470:4b:37c::/72
next
end
config firewall ippool
edit "nat64_pool"
set type port-block-allocation
set startip 201.123.235.10
set endip 201.123.235.50
next
end
config router static6
edit 1
set dst 2001:470:4b:37c::/72
set gateway 2001:470:4b:37c:1000::1
set device "ip641"
next
end
# config firewall policy64
edit 1
set srcintf "ip641"
set dstintf "WAN"
set srcaddr "l_IPv6"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "nat64_pool"
next
end
# config firewall policy64
edit 1
set srcintf "WAN"
set dstintf "ip641"
set srcaddr "all"
set dstaddr "server_VIP64"
set action accept
set schedule "always"
set service "ALL"
set nat enable
next
end