Configure Service Routes for On-Prem Services
Table of Contents
Configure Service Routes for On-Prem Services
You can configure Cloud NGFW for Azure to access on-prem, hosted services
such as DNS servers, external dynamic lists, log collectors, syslog, dynamic content
updates, LDAP, MFA, etc. By default, a Cloud NGFW firewall accesses these types of
services using its management interface. However, in some use cases, using the
management interface is not recommended. Instead, Palo Alto Networks recommends that
you configure a
service route
on the firewall to access these services. When
using a service route, service packets exit the firewall using a data port that you
assigned to each service. In return, the service sends its response to the
configured source IP and source interface.Panorama and the Panorama plugin for Azure 5.1.1 or later is
required to configure a service route on Cloud NGFW for Azure.
You should use a service route in the following scenarios.
- Services hosted in your on-prem network with a private IP address. Because the Cloud NGFW management interface is not connected to your on-prem network, it cannot access the service’s private IP address.
- Services are accessible via a public IP address over the internet, but a static source IP is required in an allow-list configuration. The Cloud NGFW management interface uses a source IP that is SNAT-translated to a dynamic public IP address to access the internet, which does not work with an allow list. You can configure the service route to access the on-prem service using a public data interface and the traffic source IP address will be SNAT-translated to the Cloud NGFW public IP address.
By default, each Cloud NGFW Panorama template includes three zones—private, public,
and loopback. The loopback zone uses an interface loopback.3, which is used for the
service route.
Complete the following procedure to configure a service route on Cloud NGFW for
Azure.
- Log in to Panorama.
- Verify that the Panorama plugin for Azure 5.1.1 or later is installed.
- Navigate to and select your Cloud NGFW template from the Template drop-down.cngfw-az-_DEFAULT_TEMPLATE_is only visible after creating the template stack in the Panorama plugin for Azure under Cloud NGFW.
- Navigate to and clickService Route Configuration.
- SelectCustomizeand do one of the following to create a service route:
- For a predefined service:
- SelectIPv4orIPv6and click the link for the service for which you want to customize the service route.To easily use the same source address for multiple services, select the checkbox for the services, clickSet Selected Routes, and proceed to the next step.
- To limit the list forSource Address, select a loopback.3 as theSource Interface; then select aSource Address(from that interface) as the service route. An Address Object can also be referenced as a Source Address if it is already configured on the selected interface. SelectingAnySource Interface makes all IP addresses on all interfaces available in the Source Address list from which you select an address. Do not selectUse defaultbecause that tells the firewall to use the management interface for the service route.The Service Route Source Address does not inherit configuration changes from the referenced interface and vice versa. Modification of an Interface IP Address to a different IP address or Address Object will not update a corresponding Service Route Source Address. This may lead to commit failure and require you to update the Service Route(s) to a valid Source Address value.
- ClickOKto save the configuration.
- Repeat this step if you want to specify both anIPv4andIPv6address for a service.
- If the service is not listed, select the Destination tab to specify the target service by IP addresses:
- SelectDestinationandAddaDestination IPaddress. In this case, if a packet arrives with a destination IP address that matches this configuredDestinationaddress, then the source IP address of the packet will be set to theSource Addressconfigured in the next step.
- To limit the list forSource Address, select theloopback.3interface; then select a Source Address (from that interface) as the service route. SelectingAnySource Interface makes all IP addresses on all interfaces available in the Source Address list from which you select an address. Selecting MGT causes the firewall to use the MGT interface for the service route.
- ClickOKto save the configuration.
- Commityour changes.
- Add aSecurity Policy Ruleallowing the Cloud NGFW to reach the on-prem service.The security policy rule can match the service route traffic as:
- From Any zone to the Public zone or Private zone, depending whether the server has a public or private IP address.
- Source IP address (172.200.255.253) to Destination IP address (IP address of the service).