Cloud NGFW for Azure
    : Configure Service Routes for On-Prem Services
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Panorama Policy Management
    5. Configure Service Routes for On-Prem Services
    Download PDF

    Cloud NGFW for Azure

    Configure Service Routes for On-Prem Services

    Table of Contents

    Configure Service Routes for On-Prem Services

    You can configure Cloud NGFW for Azure to access on-prem, hosted services such as DNS servers, external dynamic lists, log collectors, syslog, dynamic content updates, LDAP, MFA, etc. By default, a Cloud NGFW firewall accesses these types of services using its management interface. However, in some use cases, using the management interface is not recommended. Instead, Palo Alto Networks recommends that you configure a service route on the firewall to access these services. When using a service route, service packets exit the firewall using a data port that you assigned to each service. In return, the service sends its response to the configured source IP and source interface.
    Panorama and the Panorama plugin for Azure 5.1.1 or later is required to configure a service route on Cloud NGFW for Azure.
    You should use a service route in the following scenarios.
    • Services hosted in your on-prem network with a private IP address. Because the Cloud NGFW management interface is not connected to your on-prem network, it cannot access the service’s private IP address.
    • Services are accessible via a public IP address over the internet, but a static source IP is required in an allow-list configuration. The Cloud NGFW management interface uses a source IP that is SNAT-translated to a dynamic public IP address to access the internet, which does not work with an allow list. You can configure the service route to access the on-prem service using a public data interface and the traffic source IP address will be SNAT-translated to the Cloud NGFW public IP address.
    By default, each Cloud NGFW Panorama template includes three zones—private, public, and loopback. The loopback zone uses an interface loopback.3, which is used for the service route.
    Complete the following procedure to configure a service route on Cloud NGFW for Azure.
    1. Log in to Panorama.
    2. Verify that the Panorama plugin for Azure 5.1.1 or later is installed.
    3. Navigate to TemplatesDevice and select your Cloud NGFW template from the Template drop-down.
      cngfw-az-_DEFAULT_TEMPLATE_ is only visible after creating the template stack in the Panorama plugin for Azure under Cloud NGFW.
    4. Navigate to SetupServices and click Service Route Configuration.
    5. Select Customize and do one of the following to create a service route:
      • For a predefined service:
        1. Select IPv4 or IPv6 and click the link for the service for which you want to customize the service route.
          To easily use the same source address for multiple services, select the checkbox for the services, click Set Selected Routes, and proceed to the next step.
        2. To limit the list for Source Address, select a loopback.3 as the Source Interface; then select a Source Address (from that interface) as the service route. An Address Object can also be referenced as a Source Address if it is already configured on the selected interface. Selecting Any Source Interface makes all IP addresses on all interfaces available in the Source Address list from which you select an address. Do not select Use default because that tells the firewall to use the management interface for the service route.
          The Service Route Source Address does not inherit configuration changes from the referenced interface and vice versa. Modification of an Interface IP Address to a different IP address or Address Object will not update a corresponding Service Route Source Address. This may lead to commit failure and require you to update the Service Route(s) to a valid Source Address value.
        3. Click OK to save the configuration.
        4. Repeat this step if you want to specify both an IPv4 and IPv6 address for a service.
      • If the service is not listed, select the Destination tab to specify the target service by IP addresses:
        1. Select Destination and Add a Destination IP address. In this case, if a packet arrives with a destination IP address that matches this configured Destination address, then the source IP address of the packet will be set to the Source Address configured in the next step.
        2. To limit the list for Source Address, select the loopback.3 interface; then select a Source Address (from that interface) as the service route. Selecting Any Source Interface makes all IP addresses on all interfaces available in the Source Address list from which you select an address. Selecting MGT causes the firewall to use the MGT interface for the service route.
        3. Click OK to save the configuration.
    6. Commit your changes.
    7. Add a Security Policy Rule allowing the Cloud NGFW to reach the on-prem service.
      The security policy rule can match the service route traffic as:
      • From Any zone to the Public zone or Private zone, depending whether the server has a public or private IP address.
      • Source IP address (172.200.255.253) to Destination IP address (IP address of the service).

    © 2024 Palo Alto Networks, Inc. All rights reserved.