IPv6 limitations, best practices, FAQ, and troubleshooting
Best practices
- Use a unique DNS name for every device and protocol on your network. For example, if you have a database server that supports both IPv4 and IPv6, it should have both an IPv4 DNS name and an IPv6 DNS name. For example, database-ip4.yourcompany.com and database-ipv6.yourcompany.com. This provide deterministic DNS lookups and prevents connectivity issues.
- Guardium systems only support one host name. When in dual mode, the system is
registered to the DNS with the same host name for both IPv4 and IPv6. This can cause connectivity
issues as the IP returned by the DNS could be IPv4 or IPv6. For example, if the central manager is
in dual mode and you want to register a managed unit using IPv6, specify the IPv6 address of the
central manager:
register management 2620:1f7:807:a000:920:8400:0:182 8443
.To change the protocol used for registering a managed unit to the central manager, unregister the managed unit from the central manager, change its IP mode, then re-register it using the new IP format. For example, with a central manager in dual mode and a managed unit in IPv4, unregister the managed unit while it is in IPv4 mode, change it's IP mode to IPv6, then re-register it to the central manager using an IPv6 address.
- Use Guardium host name aliasing to make reports easier to read. This feature works for both IPv4 and IPv6 protocols and uses DNS lookups for IP address aliasing.
- Configure infrastructure services like FTP to support IPv6.
- Use network tools and utilities that support IPv6. For example, the ping
utility on some Linux and Windows system requires specifying the
-6
switch for IPv6 addresses (ping -6 2620:1f7:807:a000:920:8400:0:182
), the nslookup utility requires specifying-type=AAA
to resolve IPv6 host names (nslookup -type=AAAA database-ipv6.yourcompany.com
), etc.
Known limitations
- Changing to IPv4 or IPv6 mode from dual mode
- If you are operating in dual mode and migrate to IPv4-only or IPv6-only mode, the network configuration for the IP protocol you did not migrate to is lost.
- Enterprise load balancing and dual mode
- When using enterprise load balancing, a managed unit only supports the IP mode that was used for registering that managed unit to the central manager. This is true even if the collector is configured for dual mode. For example, if a managed unit in dual mode is registered to a central manager using IPv6, that managed unit cannot utilize IPv4. This limitation applies only to load balancing contexts with systems configured for dual mode.
- GDBI configuration
- When migrating from IPv4 to IPv6 with an existing GBDI instance configured for IPv4, update the
GBDI instance for IPv6 using the following GuardAPI
command:
Issue this command on a central manager for each active datamart and allow the settings to sync to managed units.grdapi datamart_update_copy_file_info destinationHost=[<IPv6 address>] destinationPassword=<password> destinationPath="/var/lib/sonargd/incoming" destinationUser="sonargd" transferMethod="SCP" Name="<datamart name>"
- LDAP authentication configuration
- When using LDAP for authentication configuration on the page, an IPv6 host address must be entered using brackets. For example: [2620:1f7:807:a000:920:8400:0:182].
- S-TAP sqlguard_ip parameter
- If a Guardium collector has different networking information in DNS than what is configured on the system, S-TAP installations may have issues using a hostname for the sqlguard_ip parameter. To resolve this issue, the align the DNS information and collector networking configuration. Otherwise, a numeric IP address can be specified for sqlguard_ip.
- S-TAP diagnostics
- When the central manager is not on the same internet protocol as a Windows S-TAP, then the S-TAP diagnostics are not communicated to the central manager.
Frequently asked questions
- How do you access a Guardium system using an IPv6 address?
- Use square brackets for the IPv6 address in the URL. For example,
https://[2620:1f7:807:a000:920:8400:0:182]:8443
- Why is it important to have unique names in DNS for the devices in my network?
- Having unique DNS names makes DNS lookups deterministic. For example, if you have a database server that has the same name in DNS for IPv4 and IPv6, a lookup for that name may return either protocol. If that protocol is not used by the Guardium system, the connection will fail.
- The Guardium CLI only allows one hostname when configuring the system, but the IPv6 best practices indicate using unique host names for each IP protocol. Which hostname should I use when setting up a Guardium system in dual mode?
- The name provided during host name setup is an internal configuration and is not used for networking configuration: it is used to help identify the system from the CLI and in reports. Any name can be used for this setting. For example, if you have a system configured with an IPv4 DNS name and an IPv6 DNS name, you can use either one.
- Why do you recommend using an IP address instead of a host name when registering managed units to a central manager?
- In some environments, DNS is set up to have only one host name for both IPv4 and IPv6 addresses on the same device. In this case, using a host name does not guarantee which IP address is used and can lead to connection issues if one protocol is not supported. Therefore, when performing tasks such as registering managed units to a central manger, use the IP address of the protocol you want to use for the connection.
- I have both IPv4 and IPv6 databases on the same database server. How do I configure inspection engines on a collector running in dual mode?
- Each internet protocol requires its own inspection engine. For a dual mode system, create both an IPv4 inspection engine and an IPv6 inspection engine.
- How do I determine which IP mode was used to register managed units to a central manager?
- Use the Managed Units report shows the host name and IP address of managed units: the IP address will be in either IPv4 or IPv6 format, depending on how the managed unit is registered to the central manager. report. The
- I converted my collector to dual mode. Why is my S-TAP status red in the S-TAP monitor?
- Verify that the S-TAP and collector are both communicating in the correct IP protocol. Use the Guardium Hosts information for a specific S-TAP to review the collector information. If the S-TAP and collector are using different protocols, change the protocols to match. page to confirm that the IP formats are the same. Expand the