Learn how to setup service routes to support virtual systems.
| Where Can I Use This? | What Do I Need? |
|---|
|
|
- Virtual
Systems license for any virtual systems beyond
the base number supported by each NGFW series.
- One of the following licenses when using Strata Cloud
Manager:
- Strata Cloud Manager Pro
- Strata Cloud Manager Essentials
Virtual System support on Strata Cloud
Manager is available on request. Contact your account team to
enable the feature.
|
When a firewall is enabled for multiple virtual systems,
the virtual systems inherit the global service and service route settings.
For example, the firewall can use a shared email server to originate
email alerts to all virtual systems. In some scenarios, you’d want
to create different service routes for each virtual system.
One use case for configuring service routes at the virtual system
level is if you are an ISP who needs to support multiple individual
tenants on a single Palo Alto Networks firewall. Each tenant requires
custom service routes to access service such as DNS, Kerberos, LDAP,
NetFlow, RADIUS, TACACS+, Multi-Factor Authentication, email, SNMP
trap, syslog, HTTP, User-ID Agent, VM Monitor, and Panorama (deployment
of content and software updates). Another use case is an IT organization
that wants to provide full autonomy to groups that set servers for
services. Each group can have a virtual system and define its own
service routes.
You can select a virtual router for a service route in
a virtual system; you cannot select the egress interface. After
you select the virtual router and the firewall sends the packet
from the virtual router, the firewall selects the egress interface
based on the destination IP address. Therefore, if a virtual system
has multiple virtual routers, packets to all of the servers for
a service must egress out of only one virtual router. A packet with
an interface source address may egress a different interface, but
the return traffic would be on the interface that has the source
IP address, creating asymmetric traffic.
When you enable Multi Virtual System Capability, any virtual system that does not
have specific service routes configured inherits the global service and service
route settings for the firewall. You can instead configure a virtual system to use a
different service route, as described in the following workflow.
A firewall with multiple virtual systems must have interfaces and subinterfaces with
non-overlapping IP addresses. A per-virtual system service route for SNMP traps or
for Kerberos is for IPv4 only.
The service route for a service strictly follows how you configured the server
profile for the service:
- If you define a server profile () for the Shared location, the firewall uses the global service
route for that service.
- If you define a server profile for a specific virtual system, the firewall uses
the virtual system-specific service route for that service.
- If you define a server profile for a specific virtual system but the virtual
system-specific service route for that service is not configured, the firewall
uses the global service route for that service.
The firewall supports syslog forwarding on a virtual system basis. When multiple
virtual systems on a firewall are connecting to a syslog server using SSL
transport, the firewall can generate only one certificate for secure
communication. The firewall does not support each virtual system having its own
certificate.
