IPv6 to IPv4 firewall rules with explicit proxy

When your IPv6-only network communicates with IPv4-only destinations, and your deployments are in explicit mode, the firewall requires IPv6 and IPv4 rules to process the traffic.

In explicit proxy mode, users' clients (browsers) must be configured to send requests directly to the web proxy. The clients are aware of the proxy.

• IPv6 rule: Evaluates IPv6 traffic from the internal endpoint to the firewall and forwards it to the web proxy component, which then performs DNS resolution.

  The Web filtering settings in this rule apply to the traffic.

• IPv4 rule: When the domain only resolves to an IPv4 address, the web proxy forwards the traffic to the destination using an IPv4 rule.

  The Other security features, such as application control and intrusion prevention, in this rule apply to this traffic.

Example scenario

This article uses the following example scenario: IPv6-only LAN users try to access the website example.com, which is in the WAN zone.

The following rule configurations use example settings.

Add an IPv6 firewall rule

The rule allows traffic from the internal network to the firewall's WAN interface. This rule applies the web filtering and user settings to the traffic.

1. Go to Rules and policies > Firewall rules and click IPv6.
2. Click Add firewall rule and click New firewall rule.
3. Enter a name.

4. Under Source zones, select a zone, for example, LAN.

   For source hosts in the DMZ or VPN zones, you can select these zones or Any.

5. Under Source networks and devices, select the LAN subnet to allow its outbound traffic.

6. Under Destination zones, select WAN.

   To send the traffic to the web proxy component, the firewall needs to tag it as WAN. So, you must only set the destination zone to WAN or Any, even if the destination server is in the LAN or DMZ zones.

7. Under Destination networks, select the IP or FQDN host for the server or website, for example, example.com.

   Alternatively, select Any.

8. Under Services, select Any.

   Note

   To select the explicit proxy port instead of Any, add a service host for the port specified on Web > General settings, under Web proxy listening port. The default port is TCP 3128.

   Make sure the endpoints' OS or browser settings are configured with this protocol and port.

   

9. (Optional) Select Match known users and add the users or groups.

   For IPv6-only endpoints, select these settings in this rule.

10. (Optional) Click Web filtering, and select a web policy.

11. Click Save.

Add an IPv4 firewall rule

Add an IPv4 firewall rule for traffic from the firewall to the IPv4 destination. This rule applies the security policies to the traffic.

1. Go to Rules and policies > Firewall rules and click IPv4.
2. Click Add firewall rule and click New firewall rule.
3. Enter a name.
4. Under Source zones, select Any.
5. Under Source networks and devices, select Any.

6. Under Destination zones, select WAN.

   You can select any zone based on the destination server's location.

7. Under Destination networks, select the destination server's IPv4 host or domain, for example, example.com.

   Alternatively, select Any.

8. Under Services, select the destination server's services, for example, HTTP and HTTPS.

   Alternatively, select Any.

   

9. (Optional) Under Other security features, select the following policies:

   1. Select an App control policy.
   2. Select an Intrusion prevention policy.
   3. Under Shape traffic, select a traffic shaping policy.

10. Click Save.

More resources

• Web
• Log behavior for web traffic