IPv6 Traffic Steering
IPv6 Traffic Steering
Netskope supports enterprises who have dual stack (IPv6 and IPv4) environments where internal networks have IPv6 and IPv4 implemented. All native IPv6 enterprises can use Netskope’s client steering technology to reach the Netskope Cloud Platform. Users who want to connect to an IPv6 website will have their IPv6 traffic steered by the Netskope Client to the Netskope cloud where v6 to v4 translation is done and policies are applied to that traffic. After policy enforcement is done, any allowed traffic is forwarded to its destination using IPv4 address.
Netskope supports websites resolving to IPv6 and IPv4 addresses. It doesn’t support websites that only resolve to ipv6 addresses.
For traffic steered via IPSec or GRE tunnels, Netskope doesn’t support IPv6 traffic over the IPv4 tunnels.
In the above diagram, the Netskope Client steers the enterprise and remote user traffic.
For Cloud Firewall, since it doesn’t support IPv6 traffic including the translation, it bypasses any non-web Cloud Firewall traffic locally. This leads to end users bypassing the Cloud Firewall policies when dual stack is enabled on the device. The end-users can access cloud content on IPv6 that can lead to a security threat. To avoid this, from version 119.0.0, you can block the IPv6 non-web traffic from an application by forcing the application to transition to IPv4(The application must support IPv4 fallback). The IPv4 traffic is then tunneled to Cloud Firewall and thereafter the admin can apply the real-time policies.
Supported OS: Windows and macOS
If the application does not support fallback to IPv4, you can bypass the IPv6 traffic using Destination Location or Domain exceptions.
Netskope Private Access doesn’t support IPv6 traffic. For IPv6 DNS queries over TCP, if the hostname in the DNS query is a Private App, the Netskope Client will block the DNS request.
