Since IPv6 gets more and more important, I am using it by default on all my test firewalls, which of course support IPv6. However, when comparing the different functions and administration capabilities, they vary significantly.
Here comes my short evaluation of the IPv6 functions on the following four firewalls: Cisco ASA, Fortinet FortiGate, Juniper SSG, and Palo Alto.
I was merely interested in the basic IPv6 usage and not in the typical firewall categories:
- Interface: IPv6 address and link-local address configurable?
- Router Advertisement and DHCPv6: Whether the firewalls support nothing (–), only RA (-), DHCPv6 relay (ο), stateless DHCPv6 (+), or stateful DHCPv6 (++). The existence of stateless DHCPv6 is vital for delivering the DNS server IPv6 addresses to the clients. (The “IPv6 Router Advertisement Options for DNS Configuration”, RFC 6106, is not supported by any of these devices.)
- Security Policy: Whether IPv4 and IPv6 addresses can be used in the same policy and whether address groups can have objects from both protocols.
- Administration: How easy are the IPv6 functions to manage? Only via the CLI (–), fifty-fifty (ο), GUI but complicated (+) , or fully via the GUI (++).
These are the results. They range from — via ο to ++.
The Cisco ASA has no DHCPv6 instance running. That is: there is no way to run an IPv6-only network because clients won’t get the DNS server. The security policy is capable of both protocols. Everything is configurable via the GUI, which is not the best at all.
The FortiGate is the only firewall with a stateful DHCPv6 server. Great. However, two distinct security policies must be used and nothing of the IPv6 settings are configurable via the GUI. WHAT???
Juniper SSG (ScreenOS)
ScreenOS is dead. However, most of the IPv6 functions are working quite good, except the protocol dependent security policies. Everything is accessible via the GUI, but sometimes on confusing positions.
Palo Alto did a good job on the IPv6 interfaces and security policies. The GUI is quite intuitive and the policy accepts both protocols at the same time. Unluckily, there is no DHCPv6 server which makes it impossible to operate an IPv6-only client network behind a Palo Alto (without further servers).
It’s interesting to see the differences between those firewalls. While the Fortinet und Juniper firewalls support the whole SLAAC process incl. DNS servers, they have no single security policy for both protocols and are horrable to configure.
The Palo Alto is quite good to configure but lacks the DHCPv6 server. Same for the Cisco.
In summary, all firewalls position in the middle of my scale. From an IPv6-only view, I cannot say which one is the best. It depends….