Minor Palo Alto Bug concerning IPv6 MGT

A few months ago I found a small bug in PAN-OS, the operating system from Palo Alto Networks. It is related to an IPv6 enabled management interface. The MGT address was not reachable when the firewall operates in layer 2 mode, that is, had layer 2 interfaces along with VLANs. Luckily, this bug is fixed with the new software version 6.1.2 which was released this week (bug ID 67719).

Following are a few listings that show the incomplete handling of the IPv6 neighbor cache of the MGT interface in the old version (pre 6.1.2).

I was using the layer 2 mode for some switch tests about STP. During these tests, I noticed that I was not able to connect to the MGT interface via IPv6 anymore.

The Palo Alto in my lab has a VLAN interface (vlan.120) and the corresponding VLAN on a layer 2 subinterface. The management port is plugged into a switch in the same VLAN. The IPv6 address on the MGT interface is 2003:51:6012:120::2/64 .

Bug

For example, when trying to ping or to ssh to the MGT interface from another machine …

… the neighbor cache did not show the MGT IPv6 address:

 

However, I was able to ping from that MGT interface IPv6 address. Interestingly, the neighbor cache revealed the ::2 address, but only with the status “PROBE” and only for a very few seconds:

 

The traffic log on the Palo Alto shows that incoming connections did not succeed, while outgoing connections did:

Palo Alto IPv6 MGMT interface pings

Fixed in 6.1.2

with bug ID 67719: “The management interface was not receiving IPv6 connections for traffic from the dataplane when the firewall was in Layer 2 mode. An update was made to the MAC address learning process so that the Management interface receives IPv6 traffic from the dataplane when the firewall is in Layer 2 mode.”

Now I can ping to the IPv6 MGT address:

And the neighbor cache correctly shows the REACHABLE/STALE neighbor:

Cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *