: IPv4 and IPv6 Support for Service Route Configuration
Focus
Focus

IPv4 and IPv6 Support for Service Route Configuration

Table of Contents
End-of-Life (EoL)

IPv4 and IPv6 Support for Service Route Configuration

The following table shows IPv4 and IPv6 support for service route configurations on global and virtual systems.
Service Route Configuration Settings
Global
Virtual System
IPv4
IPv6
IPv4
IPv6
AutoFocus—AutoFocus™ server.
CRL Status—Certificate revocation list (CRL) server.
Data Services— Send data to Palo Alto Networks cloud services from the firewall dataplane. Optimized for faster data transfer and prevents data loss.
Required for IoT security, Enterprise DLP, and SaaS Security.
DDNS—Dynamic DNS service.
Panorama pushed updates—Content and software updates deployed from Panorama™.
DNS—Domain Name System server.
*For virtual systems, DNS is done in the DNS Server Profile.
*
*
External Dynamic Lists—Updates for external dynamic lists.
Email—Email server.
HSM—Hardware security module server.
HTTP—HTTP forwarding.
Kerberos—Kerberos authentication server.
LDAP—Lightweight Directory Access Protocol server.
MDM—Mobile Device Management server.
Multi-Factor Authentication—Multi-factor authentication (MFA) server.
NetFlow—NetFlow collector for collecting network traffic statistics.
NTP—Network Time Protocol server.
Palo Alto Networks Services—Updates from Palo Alto Networks® and the public WildFire® server. This is also the service route for forwarding pre-10.0 telemetry data to Palo Alto Networks. (Current telemetry support forwards its data to Cortex Data Lake. This service route is not used in that case.)
Panorama—Panorama management server.
Panorama Log Forwarding (PA-5200 Series firewalls only)—Log forwarding from the firewall to Log Collectors.
Proxy—Server that is acting as Proxy to the firewall.
RADIUS—Remote Authentication Dial-in User Service server.
SCEP—Simple Certificate Enrollment Protocol for requesting and distributing client certificates.
SNMP Trap—Simple Network Management Protocol trap server.
Syslog—Server for system message logging.
TACACS+—Terminal Access Controller Access-Control System Plus (TACACS+) server for authentication, authorization, and accounting (AAA) services.
UID Agent—User-ID Agent server.
URL Updates—Uniform Resource Locator (URL) updates server.
VM Monitor—Monitoring Virtual Machine information, when you have enabled Device > VM Information Sources.
VM-Series firewalls in public cloud deployments that are monitoring virtual machines, must use the MGT interface. You cannot use a dataplane interface as a service route.
WildFire Private—Private Palo Alto Networks WildFire server.
When customizing a Global service route, select Service Route Configuration and, on the IPv4 or IPv6 tab, select a service from the list of available services; you can also select multiple services and Set Selected Service Routes to configure multiple service routes at once. To limit the selections in the Source Address drop-down, select a Source Interface and then a Source Address (from that interface). A Source Interface that is set to Any allows you to select a Source Address from any of the available interfaces. The Source Address displays the IPv4 or IPv6 address assigned to the selected interface and the selected IP address will be the source for the service traffic. You can Use default if you want the firewall to use the management interface for the service route; however, if the packet destination IP address matches the configured Destination IP address, the source IP address will be set to the Source Address configured for the Destination. You do not have to define a destination address because the destination is configured when you configure each service. For example, when you define your DNS servers (DeviceSetupServices), you will set the destination for DNS queries. You can specify both an IPv4 and an IPv6 address for a service.
An alternative way to customize a Global service route is to select Service Route Configuration and select Destination. Specify a Destination IP address to which an incoming packet is compared. If the packet destination address matches the configured Destination IP address, the source IP address is set to the Source Address configured for the Destination. To limit the selections in the Source Address drop-down, select a Source Interface and then select a Source Address (from that interface). A Source Interface that is set to Any allows you to select a Source Address from any of the interfaces available. The MGT Source Interface causes the firewall to use the management interface for the service route.
When you configure service routes for a Virtual System, choosing to Inherit Global Service Route Configuration means that all services for the virtual system will inherit the global service route settings. You can, instead, choose Customize, select IPv4 or IPv6, and select a service; you can also select multiple services and Set Selected Service Routes. The Source Interface has the following three choices:
  • Inherit Global Setting—The selected services inherit the global settings for those services.
  • Any—Allows you to select a Source Address from any of the interfaces available (interfaces in the specific virtual system).
  • An interface from the drop-down—Limits the drop-down for Source Address to the IP addresses for this interface.
For Source Address, select an address from the drop-down. For the services selected, server responses are sent to this source address.