IPv6 static route for 2000::/3 no longer possible (R80.20)

May the 4th (+4)
Roadmap Session and Use Cases for
Cloud Security, SASE, and Email Security

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

Paradigm Shifts: Adventures Unleashed!
Capture Your Adventure for a Chance to WIN!

Join the Photo Contest!

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hello,

following a recommendation I heard from a guy from Cisco, on an IETF conference (IPv6 working group), I have since then configured a static route for 2000::/3, while the IPv6 default route was blackholed. (As IPv6 public addresses start with 2...:: or 3...:: exclusively, a route for 2000::/3 is enough - hijacking of addresses outside that list can no longer cause harm)

This worked fine up tille and including R80.10 :

# fw ver
This is Check Point's software version R80.10 - Build 027

(extract from the configuration)

set ipv6 static-route default nexthop blackhole
set ipv6 static-route 2000::/3 comment "Route public address space only"
set ipv6 static-route 2000::/3 nexthop gateway <-my:IPv6:routers:addres-> on

To my surprise, R80.20 refuses IPv6 static routes for masks <8 !

CP helpdesk was very quick to point at sk118074, claiming this - IPv6 routes for a /3 - is not possible since R75.
(which obviously is not true, since I have R80.10's configured like that)

CP helpdesk even closed the ticket before I could point this out to them : good for their statistics, bad for customer/partner feeling ...

Given the number of people that already voted in favor of supporting R77.30 for (at least !?) another year,
I would think Check Point has more important things to fix,
rather than breaking something which worked fine up till now 😞

Sincerely,