IPv6 Static Routes
|
Important - First, you must enable the IPv6 Support and reboot (see System Configuration). |
Configuring IPv6 Static Routes in Gaia Portal
You can configure IPv6 static routes only one route at a time.
|
Important - On Scalable Platforms (Maestro and Chassis), you must connect to the Gaia Portal Web interface for the Check Point Gaia operating system. of the applicable Security Group. |
Step |
Instructions |
---|---|
1 |
In the navigation tree, click Network Management > IPv6 Static Routes. |
2 |
In the IPv6 Static Routes section, click Add. |
3 |
In the Destination / Mask Length field, enter the IPv6 address and prefix (default prefix is 64). |
4 |
Select the Next Hop Type field select:
|
5 |
In the Rank field, leave the default value (60), or enter the relative rank of the IPv6 static route (an integer from 1 to 255). This value specifies the rank for the configured route when there are overlapping routes from different protocols. |
6 |
In the Comment field, enter the applicable comment text (up to 100 characters). |
7 |
In the Add Gateway section, click Add. |
8 |
In the Gateway Address field, enter the IPv6 address of the next hop gateway. |
9 |
In the Priority field, either do not enter anything, or select an integer between 1 and 8. Priority defines the order for selecting the next hop gateway when multiple next hop gateways are configured. The lower the priority, the higher the preference - priority 1 means the highest preference, and priority 8 means the lowest preference. A next hop gateway with no priority configured is preferred over a next hop gateway with priority configured. You cannot configure two next hop gateways with the same priority, because IPv6 Equal Cost Multipath Routes are not supported. |
10 |
Click OK. |
11 |
Select the Ping6 option, if you need to monitor next hops for the IPv6 static route using The Ping6 feature sends ICMPv6 Echo Requests to make sure the next hop gateway for a static route is working. |
12 |
Click Save. |
13 |
In the Advanced Options section, you can configure the Ping6 behavior. If you changed the default settings, you must click Apply. |
Configuring IPv6 Static Routes in Gaia Clish
Syntax
|
Note - There are no " |
|
Important - On Scalable Platforms (Maestro and Chassis), you must run the applicable commands in Gaia Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. gClish of the applicable Security Group. |
set ipv6 static-route default comment {"Text" | off} nexthop gateway {<IPv6 Address of Next Hop Gateway> | logical} [priority <Priority>] {on | off} interface <Name of Local Interface> [priority <Priority>] {on | off} blackhole reject off ping6 {on | off} rank <Rank> |
set ipv6 static-route <Destination IPv6 Address> comment {"Text" | off} nexthop gateway {<IPv6 Address of Next Hop Gateway> | logical} [priority <Priority>] {on | off} interface <Name of Local Interface> [priority <Priority>] {on | off} blackhole reject off ping6 {on | off} rank <Rank> |
|
|
|
|
|
|
Important - After you add, configure, or delete features, run the " |
Parameters
Parameter |
Description |
|
---|---|---|
|
Defines the default static IPv6 route. |
|
|
Defines the IPv6 address of destination host or network using the CIDR notation (IPv6 Address / Mask Length). Example: Mask length must be in the range 8-128. |
|
|
Defines of removes the optional comment for the static route.
|
|
|
Defines the next hop path, which can be a |
|
|
Specifies that this next hop accepts and sends packets to the specified destination. |
|
|
Specifies that this next hop drops packets, but does not send ICMP unreachable packet to the traffic source. |
|
|
Specifies that this next hop drops packets and sends ICMP unreachable packet to the traffic source. |
|
|
Defines the IPv6 address of the next hop gateway. |
|
|
Identifies the next hop gateway by the local interface that connects to it. Use this option only if the next hop gateway has an unnumbered interface. |
|
|
Defines the order for selecting the next hop gateway when multiple next hop gateways are configured. The lower the priority, the higher the preference - priority 1 means the highest preference, and priority 8 means the lowest preference. A next hop gateway with no priority configured is preferred over a next hop gateway with priority configured. You cannot configure two next hop gateways with the same priority, because IPv6 Equal Cost Multipath Routes are not supported. |
|
|
Adds the specified next hop gateway. |
|
|
Deletes the specified next hop gateway. If you specify a next hop, only the specified path is deleted. If you do not specify a next hop, the route and all related paths are deleted. |
|
|
Removes the static route. |
|
|
Enables ( The Ping6 feature sends ICMPv6 Echo Requests to make sure the next hop gateway for a static route is working. Gaia includes in the kernel forwarding table only next hop gateways, which are verified as working. When Ping6 is enabled, Gaia adds an IPv6 static route to the kernel forwarding table only after at least one next hop gateway is reachable. To configure the ping6 behavior, run:
|
|
|
Selects a route, if there are many routes to a destination that use different routing protocols. The route with the lowest rank value is selected. Use the Accepted values are: In addition, see this command: |
gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 on gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 interface eth3 on gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 priority 3 on gaia> set ipv6 static-route 3100:192::0/64 nexthop reject gaia> set ipv6 static-route 3100:192::0/64 nexthop blackhole gaia> set ipv6 static-route 3100:192::0/64 off gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 off gaia> set ipv6 static-route 3100:192::0/64 nexthop gateway 3900:172::1 interface eth3 off gaia> show ipv6 route static Codes: C - Connected, S - Static, B - BGP, Rg - RIPng, A - Aggregate, O - OSPFv3 IntraArea (IA - InterArea, E - External), K - Kernel Remnant, H - Hidden, P - Suppressed S 3100:55::1/64 is directly connected S 3200::/64 is a blackhole route S 3300:123::/64 is a blackhole route S 3600:20:20:11::/64 is directly connected, eth3 |
Troubleshooting
Symptoms
You cannot enable the VPN Software Blade Specific security solution (module): (1) On a Security Gateway, each Software Blade inspects specific characteristics of the traffic (2) On a Management Server, each Software Blade enables different management capabilities.. SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. shows this message:
|
Cause
IPv6 feature is active on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., but the main IPv6 address is not configured in the Security Gateway object in SmartConsole.
Next Steps
-
From the left navigation panel, click Gateways & Servers.
-
Double-click the Security Gateway object.
-
From the left tree, click General Properties.
-
Configure the main IPv6 address.
-
Click OK.
-
Install the Access Control Policy on the Security Gateway object.