Since IPv6 gets more and more important, I am using it by default on all my test firewalls, which of course support IPv6. However, when comparing the different functions and administration capabilities, they vary significantly.
Here comes my short evaluation of the IPv6 functions on the following four firewalls: Cisco ASA, Fortinet FortiGate, Juniper SSG, and Palo Alto.
Criteria
I was merely interested in the basic IPv6 usage and not in the typical firewall categories:
- Interface: IPv6 address and link-local address configurable?
- Router Advertisement and DHCPv6: Whether the firewalls support nothing (–), only RA (-), DHCPv6 relay (ο), stateless DHCPv6 (+), or stateful DHCPv6 (++). The existence of stateless DHCPv6 is vital for delivering the DNS server IPv6 addresses to the clients. (The “IPv6 Router Advertisement Options for DNS Configuration”, RFC 6106, is not supported by any of these devices.)
- Security Policy: Whether IPv4 and IPv6 addresses can be used in the same policy and whether address groups can have objects from both protocols.
- Administration: How easy are the IPv6 functions to manage? Only via the CLI (–), fifty-fifty (ο), GUI but complicated (+) , or fully via the GUI (++).
Results
These are the results. They range from — via ο to ++.
Cisco ASA | Fortinet FortiGate | Juniper ScreenOS | Palo Alto | |
---|---|---|---|---|
Version | 9.2(3) | 5.2.2 | 6.3.0r18.0 | 6.1.3 |
Interface | ++ | + | ++ | ++ |
RA, DHCPv6 | - | ++ | + | ο |
Security Policy | ++ | -- | -- | ++ |
Administration | + | -- | + | ++ |
Details
Cisco ASA
The Cisco ASA has no DHCPv6 instance running. That is: there is no way to run an IPv6-only network because clients won’t get the DNS server. The security policy is capable of both protocols. Everything is configurable via the GUI, which is not the best at all.
Fortinet FortiGate
The FortiGate is the only firewall with a stateful DHCPv6 server. Great. However, two distinct security policies must be used and nothing of the IPv6 settings are configurable via the GUI. WHAT???
Juniper SSG (ScreenOS)
ScreenOS is dead. However, most of the IPv6 functions are working quite good, except the protocol dependent security policies. Everything is accessible via the GUI, but sometimes on confusing positions.
Palo Alto
Palo Alto did a good job on the IPv6 interfaces and security policies. The GUI is quite intuitive and the policy accepts both protocols at the same time. Unluckily, there is no DHCPv6 server which makes it impossible to operate an IPv6-only client network behind a Palo Alto (without further servers).
Conclusion
It’s interesting to see the differences between those firewalls. While the Fortinet und Juniper firewalls support the whole SLAAC process incl. DNS servers, they have no single security policy for both protocols and are horrable to configure.
The Palo Alto is quite good to configure but lacks the DHCPv6 server. Same for the Cisco.
In summary, all firewalls position in the middle of my scale. From an IPv6-only view, I cannot say which one is the best. It depends….
Cisco was behind on network security for a long time when it came to firewalls. They attempted to create their own version of Next Generation Firewalls which didn’t quiet make it; however, with the acquisition of Sourcefire Cisco stepped up their game. Cisco didn’t waste time and started integrating Sourcefire with the ASA which is a winning combination. Cisco has a vast install in the network security market and incorporating Sourcefire with the ASA is a win-win for many reasons:
You can still use the Cisco ASA configuration that you are trained on and benefit from many features based on legacy firewalling (protocol / port).
Your staff wouldn’t need to relearn a new solution from scratch.
Your VPN which your employees and vendors relied on for a long time doesn’t need to be redone which is a big headache if you rely on VPN heavily in your operation.
You can easily integrate Next Generation features into your existing setup without major reconfiguration.
Features Comparison between PaloAlto and Cisco Next Generation Firewall
Feature
Cisco
PaloAlto
Application Visilibty
Yes
Yes
Stateful Firewalling
Yes
Yes
IPS functionality
Yes
Yes
IPSec VPN
Yes
Yes
IPSec VPN tunnel interfaces
No
Yes
SSL VPN
Yes – Full SSL vpn
Yes – limited
Dynamic Routing – RIP
Yes
Yes
Dynamic Routing – OSPF
Yes
Yes
Dynamic Routing – BGP
Yes (VERSION 9.4)
Yes
Policy based routing
Yes – limited
Yes – far superior
Dynamic routing over tunnel interfaces
No
Yes – far superior
AntiVirius protection
Yes – based on Snort Sigs
Yes – proprietary
Advanced Malware Protection
Yes – Sandboxing / Croudsourcing
Yes – Sandboxing / Croudsourcing
Sandboxing
Yes – FireAmp and AMP
Yes – Wildfire
URL Filtering
Yes
Yes
SSL Decryption
Yes – additional appliance
Yes – built in
Overall Compliance Visibility
Yes
No
As you can see there are many feature parity between the two products; however, Cisco has many advantages:
1. Cisco as you know pretty much controls the Routing and Switching space.
2. Cisco has the advantage of integrating Cisco Sourcefire with Cisco ISE for end to end security
Check my Udemy class that explores the Cisco Sourcefire solution features. This class explores many advanced features of Cisco Sourcefire solution
Not sure if you realize this but you can config IPv6 on FortiGates from the GUI.
It’s disabled by default as not many people use it, so saves on screen clutter.
To enable it goto System > Config > Features and enable+apply IPv6. There’s an additional option to enable NAT46 & NAT64 in the GUI from this page too.
Hi Allan,
yes, I know this button and enabled it. But unfortunately this gives only very basic possibilities for IPv6 configuration. Only the static IPv6 address can be configured, but nothing link Router Advertisements, DHCPv6, OSPFv3, etc.
Thanks for providing point to point information in this page, for any other further details on Juniper can visit http://www.golarsnetworks.com/