We have noticed some cloud service providers that our customers are using are starting to implement IPv6 routing. Their base cloud server images may include IPv6 configurations enabled by default.
The CloudPassage Halo Firewall Management feature does not currently support IPv6. If you rely on the Halo Firewall Management feature to manage connectivity to your cloud workload and your provider has enabled IPv6 routing, your workload may be exposed through IPv6 routing.
If you are not intending to use IPv6, we recommend that you disable it.
If your cloud workload requires IPv6, we recommend that you manage the host-based IPv6 firewall rules manually until we announce support.
Monitoring IPv6 Configurations With Halo
Halo can confirm that IPv6 is disabled using Configuration Security Management policies. The most recent versions of the OS Extended policy templates for both Debian-based and RPM-based Linux have checks to determine whether IPv6 is enabled. The checks are in the first rule under the System Configuration section, “Disable IPv6 Interfaces.”
These checks look in several possible places where IPv6 might be enabled or disabled, depending on your version of Linux:
If you wish to add these rules to your existing policies:
- Clone the policy template that includes the rule you would like to reuse.
- Go into the edit screen for the rule:
- Add the rule to your library:
- Edit the policy you wish to update.
- Open the section of that policy that you wish to add the rule to and select “Add a Rule From Library:”
- Select the IPv6 rule from the popup:
- Scroll down and click “Save All”.
For Windows, we do not currently have a check. IPv6 is disabled by default in versions of Windows that have been released directly by Microsoft, but we recommend that you confirm that IPv6 is disabled on any Windows images from your cloud services provider. Please refer to Microsoft KB 929852, “How to disable IPv6 or its components in Windows,” for more information on configuring IPv6 on the Windows platform.
If you have any questions about these steps or questions about using IPv6 on your Halo- protected workloads, we encourage you to file a support ticket.