Support for IPv6 in Splunk SOAR (Cloud)

Information and cross-references about IPv6 Support in Splunk SOAR (Cloud)

Splunk SOAR (Cloud) release 7.0.0 adds support for IPv6,in IPv6 compliant networks. Splunk SOAR (Cloud) can be deployed with support for IP routing in the following modes:

  • IPv4 only

  • Dual-stack mode with support for both IPv4 and IPv6

When Splunk SOAR (Cloud) is deployed in dual-stack mode, IPv6 routing will be preferred. Apps (also called Connectors) or assets which do not support IPv6 routing will fall back to IPv4, using the "Happy Eyeballs" algorithm.

When running in dual-stack mode a Splunk SOAR (Cloud) deployment will have an IPv6 address and corresponding DNS record.

In dual-stack mode, Splunk SOAR (Cloud) will listen on both IPv4 and IPv6 port 3500 for webhook connections, and both IPv4 and IPv6 port 443 for HTTPS traffic.

SOAR (Cloud) features that support IPv6

The following SOAR (Cloud) features can use IPv6:

  • Splunk SOAR Automation Broker

    During the Automation Broker's pairing process, you can use an IPv6 address for Splunk SOAR (Cloud). See Specifying IPv6 addresses later in this topic.

  • Splunk Universal Forwarder

    A Splunk Universal Forwarder's Indexers field accepts IPv6 addresses. See Specifying IPv6 addresses later in this topic.

  • Pairing with Splunk Enterprise Security

    Provided there is IPv6 routing available between Splunk SOAR (Cloud) and Splunk Enterprise Security, you can specify IPv6 addresses when pairing Splunk SOAR (Cloud) and Splunk Enterprise Security. See Specifying IPv6 addresses later in this topic.

  • Apps (also called connectors) and associated assets which explicitly support IPv6

    At release of Splunk SOAR (Cloud) 7.0.0, not all connectors (or apps) support IPv6 routing. If you have the IPv6 address to use in an app or asset, you can specify it in the apps' or assets' configuration. See Specifying IPv6 addresses later in this topic.

  • Allow and block lists

    In dual-stack mode, Splunk SOAR (Cloud) you can use IPv6 addresses for allow and block lists. See Specifying IPv6 addresses later in this topic.

Specifying IPv6 addresses

In order to use an app, asset, allow or block list, or other item that requires IPv6, you must specify the IPv6 address in the configuration using square brackets, "[" and "]", surrounding the IPv6 address.

Examples: 

[2001:0DB8::/32] # specify an entire /32 range
[2001:db8:3333:4444:5555:6666:7777:8888] # specify a single IPv6 address