Configure Service Routes
Table of Contents
Expand all | Collapse all
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
Configure Service Routes
The following procedure enables you to configure service routes to change the
interface that the firewall uses to send requests to external services such as the
Palo Alto Network cloud services or for log forwarding. For firewalls in a high availability (HA) configuration, the
service route configuration is synchronized across the HA peers
For firewalls in an active/passive high availability (HA), the
service route you configured to leverage an external service or for log forwarding
sees activity only on the
active
HA peer while the
passive
HA peer sees no activity if you configured
an Ethernet interface as the Source Interface
. For example,
you configure a service route with Ethernet 1/3 as the source interface to forward
logs to Cortex Data Lake. In this scenario, all logs are forwarded from the
active
HA peer but no logs, including the system
and configuration logs, are forwarded from the passive
HA peer. However, if you configure the MGT interface as the service route
Source Interface
, activity occurs on both the
active
and passive
HA
peers.- Customize service routes.
- Select(omit Global on a firewall without multiple virtual system capability), and in the Services Features section, clickDeviceSetupServicesGlobalService Route Configuration.
- SelectCustomizeand do one of the following to create a service route:
- For a predefined service:
- SelectIPv4orIPv6and click the link for the service for which you want customize the service route.To easily use the same source address for multiple services, select the checkbox for the services, clickSet Selected Routes, and proceed to the next step.
- To limit the list for Source Address, select aSource Interface; then select aSource Address(from that interface) as the service route. An Address Object can also be referenced as a Source Address if it is already configured on the selected interface. SelectingAnySource Interface makes all IP addresses on all interfaces available in the Source Address list from which you select an address. SelectingUse defaultcauses the firewall to use the management interface for the service route, unless the packet destination IP address matches the configured Destination IP address, in which case the source IP address is set to theSource Addressconfigured for theDestination. SelectingMGTcauses the firewall to use the MGT interface for the service route, regardless of any destination service route.The Service Route Source Address does not inherit configuration changes from the referenced interface and vice versa. Modification of an Interface IP Address to a different IP address or Address Object will not update a corresponding Service Route Source Address. This may lead to commit failure and require you to update the Service Route(s) to a valid Source Address value.
- ClickOKto save the setting.
- Repeat this step if you want to specify both an IPv4 and IPv6 address for a service.
- For a destination service route:
- SelectDestinationandAddaDestinationIP address. In this case, if a packet arrives with a destination IP address that matches this configuredDestinationaddress, then the source IP address of the packet will be set to theSource Addressconfigured in the next step.
- To limit the list for Source Address, select aSource Interface; then select aSource Address(from that interface) as the service route. SelectingAnySource Interface makes all IP addresses on all interfaces available in the Source Address list from which you select an address. SelectingMGTcauses the firewall to use the MGT interface for the service route.
- ClickOKto save the setting.
- Repeat the prior steps for each service route you want to customize.
- ClickOKto save the service route configuration.
- Commit.