Neighbor discovery works over the ICMPv6 Neighbor Discovery protocol, which is the functional equivalent of the IPv4 ARP protocol. ICMPv6 Neighbor Discovery Protocol must be explicitly permitted in the Access Control Rule Base for all bridged networks. This is different from ARP. ARP traffic is Layer 2 only, therefore it permitted regardless of the Rule Base.
This is an example of an explicit Rule Base that permits ICMPv6 Neighbor Discovery protocol:
| Source | Destination | Services and Applications | Action | 
|---|---|---|---|
| Network object that represents the Bridged Network | Network object that represents the Bridged Network | 
 
 
 
 
 | 
 | 
It is possible to configure a Security Gateway with bridge interface to allow or drop protocols that are not based on IP that pass through the bridge interface. For example, protocols that are not IPv4, IPv6, or ARP.
By default, these protocols are allowed by the Security Gateway.
To manage the traffic of Ethernet protocols:
Change the value of the global parameter fwaccept_unknown_protocol in the $FWDIR/boot/modules/fwkern.conf file:
g_update_conf_file fwkern.conf fwaccept_unknown_protocol=1
Create user defined tables in the applicable user.def file (see sk98239).
Example:
| $ifndef __user_def__ $define __user_def__ 
 \\ \\ User defined INSPECT code \\ 
 allowed_ethernet_protocols={ <0x44,0x44> ); dropped_ethernet_protocols={ <0x4,0x4> ); 
 
 endif /*__user_def__*/ | 
Install the Access Control Policy.
Traffic is allowed if:
fwaccept_unknown_protocol is 1user.def file, protocol is in the allowed_ethernet_protocols tableuser.def file, protocol is NOT in the dropped_ethernet_protocols table