The short description is that IPv6 worked if I traffic originated from a device behind the firewall, but if traffic originated from a device on the internet I would never get a response. The problem was that there was no IPv6 default gateway set, while the web interface listed the IPv6 gateway with (default).
When I accessed the shell of the firewall and tried to ping with ping6 I would get a no route to host message.
ping6: UDP connect: No route to host
This made me review the route table and when I did I saw no default or ::/0 entry for IPv6.
netstat -rnaW -f inet6
I manually added the default IPv6 route and IPv6 started working normally. I removed it and I could still ping from the firewall to an outside IPv6 address, but outside IPv6 traffic would no longer get a response.
route add -inet6 default 2001:470:xxxx:xxxx::1
In the web interface I removed the default check from the default option for the IPv6 gateway, saved it, added the default option check back and saved. When I did this the route table showed the default IPv6 route. Looking at the new config and comparing it to the previous config, <defaultgw>was not in the gateway section for the IPv6 gateway in the previous config. So the question is, why the web interface showed the gateway with the default option checked, but <defaultgw>was not in the config.xml? It it seems that if <defaultgw>is not in the config.xml file, a default IPv6 route is not set.
I can send you the configs privately if that would help.
BTW, my IPv6 is provided via a Hurricane Electric gif tunnel and in the ndp table the IPv6 address on the firewall is always listed with (incomplete) rather than a MAC address. Is this normal?