NG Firewalls & IPv6

Jima nanog at jima.us
Wed Apr 4 05:44:54 UTC 2018


Hey Joe,

I don't know how next-gen they'd be considered, but I've had reasonably good luck with Cisco ASA (v9+), and to a lesser degree Juniper ScreenOS (v6.3+). Modern-ish ASA does v6-only pretty well; ScreenOS has more v4-dependent nuances, that I've found.

I do like the NAT64 support in ASA (although it sadly doesn't support the Well-Known Prefix) -- no love in ScreenOS, as far as I've ever found.

- Jima

> On Apr 2, 2018, at 16:58, Joe Klein <jsklein at gmail.com> wrote:
> 
> All,
> 
> At security and network tradeshows over the last 15 years, I have asked
> companies if their products supported "IPv6". They all claimed they did,
> but were unable to verify any successful installations. Later they told me
> it was on their "Roadmap" but were unable to provide an estimated year,
> because it was a trade secret.
> 
> Starting this last year at BlackHat US, I again visited every product
> booth, asking if their products supported dual-stack or IPv6 only
> operations. Receiving only the same unsupported answers, I decided to focus
> on one product category.
> 
> To the gurus of the NANOG community, What are your experiences with
> installing and managing Next Generations firewalls? Do they support IPv6
> only environments? Details? Stories?
> 
> If you prefer not to disparage those poor product companies, please contact
> me off the list.
> 
> Thanks,
> 
> Joe Klein
> 
> "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
> PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8


More information about the NANOG mailing list