topic Re: Ipv6 to Ipv4 communication is not happening when we give ipv4 destination in security rule in Hyperscale Firewall (Maestro)

Ipv6 to Ipv4 communication is not happening when we give ipv4 destination in security rule

Surendra — Tue, 03 Sep 2024 11:21:51 GMT

Hi Team

we have NAT 64 rule for Ipv6 to Ipv4 communication, Ipv6 sources are able to communicate when we give ANY in destination in access rule. if we give specific ipv4 host or network it is not hitting the rule since request is looking for embedded ipv6 address in access rule.

source ip : ipv6 address

destination ip : 64:FF9B::/96

original destination is 190.x.x.x

check point firewall is not able to convert embedded ipv6 to original ipv4

please suggest us, how to fix ipv6 to ipv4 communication issue.

Re: Ipv6 to Ipv4 communication is not happening when we give ipv4 destination in security rule

Chris_Atkinson — Tue, 03 Sep 2024 12:12:16 GMT

Which version/JHF are used in this deployment - have you opened a TAC case?

Re: Ipv6 to Ipv4 communication is not happening when we give ipv4 destination in security rule

Tom_Kendrick — Tue, 03 Sep 2024 12:36:31 GMT

Hi, this does work, but it's not simple 🙂

You need to use something (like Unbound) that will help you with DNS64, so that the address you request is converted to the embedded 64 version, and then use a special NAT rule, to take the traffic destined to the NAT64 addresses, and switch them to hide behind a IPv4 address (while also extracting the embedded IPv4 address from the IPv6 destination address) - If you're not confused, you are doing well!

Its discussed / documented here: https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SecurityManagement_AdminGuide/Topics-SECMG/Working_with_NAT64_Rules.htm

This was from within an isolated environment (so IP's are not public) when testing with breaking point. You need to make sure the NAT rule is set correctly - like this....

Re: Ipv6 to Ipv4 communication is not happening when we give ipv4 destination in security rule

Surendra — Wed, 04 Sep 2024 05:23:50 GMT

Maestro device, version is R81.10 and JHF is Take 139.

yes raised case with CP, they said R&D team is working on that feature that conversion from 64:ff9b:xxx:xxxx hexa to original ipv4.

Re: Ipv6 to Ipv4 communication is not happening when we give ipv4 destination in security rule

Surendra — Wed, 04 Sep 2024 05:30:48 GMT

we have created the NAT64 rule and it is working fine when we keep ANY in destination in access rule.

if we keep ipv4 in destination in access rule it is not hitting that rule.

original reqauest

Src IP = Configured IPv6 address
Dst IP = IPv4 embedded IPv6 address returned by DNS64 server

but in security rule we have kept original destination ipv4 address so checkpoint will look for 64:ff9b:xx:xx/96 in destionation since it is not in rule it is not hitting that rule.

the firewall is capable of performing the translation from IPv6 to IPv4 regardless of if this was done by a DNS64 server or by some other method, as long as the IPv4 address is embedded into the IPv6 address

Re: Ipv6 to Ipv4 communication is not happening when we give ipv4 destination in security rule

PhoneBoy — Wed, 04 Sep 2024 17:19:18 GMT

If you want this to work as expected, you will need to put the IPv6 version of the IPv4 address in your Access Rule.
Otherwise, this won't work.
https://support.checkpoint.com/results/sk/sk113175