End-of-Life (EoL)

Customize Service Routes to Services for Virtual Systems

When you enable Multi Virtual System Capability, any virtual system that does not have specific service routes configured inherits the global service and service route settings for the firewall. You can instead configure a virtual system to use a different service route, as described in the following workflow.
The firewall supports syslog forwarding on a virtual system basis. When multiple virtual systems on a firewall are connecting to a syslog server using SSL transport, the firewall can generate only one certificate for secure communication. The firewall does not support each virtual system having its own certificate.
  1. Customize service routes for a virtual system.
    1. Select
      Device
      Setup
      Services
      Virtual Systems
      , and select the virtual system you want to configure.
    2. Click the
      Service Route Configuration
      link.
    3. Select one of the radio buttons:
      • Inherit Global Service Route Configuration
        —Causes the virtual system to inherit the global service route settings relevant to a virtual system. If you choose this option, skip down to step 7.
      • Customize
        —Allows you to specify a source address for each service.
    4. If you chose
      Customize
      , select the
      IPv4
      or
      IPv6
      tab, depending on what type of addressing the server offering the service uses. You can specify both IPv4 and IPv6 addresses for a service. (Only services that are relevant to a virtual system are available.) To easily use the same source address for multiple services, select the checkbox for the services, click
      Set Selected Service Routes
      , and continue.
      • To limit the drop-down list for Source Address, select a
        Source Interface
        , then select a Source Address (from that interface) as the service route. Selecting
        Any
        Source Interface makes all IP addresses on all interfaces for the virtual system available in the Source Address drop-down from which you select an address. You can select
        Inherit Global Setting
        .
      • Source Address
        will indicate
        Inherited
        if you selected
        Inherit Global Setting
        for the
        Source Interface
        or it will indicate the source address you selected. If you selected
        Any
        for
        Source Interface
        , select an IP address from the drop-down, or enter an IP address (using the IPv4 or IPv6 format that matches the tab you chose) to specify the source address that will be used in packets sent to the external service.
      • If you modify an address object and the IP family type (IPv4/IPv6) changes, a
        Commit
        is required to update the service route family to use.
    5. Click
      OK
      .
    6. Repeat steps 4 and 5 to configure source addresses for other external services.
    7. Click
      OK
      .
  2. Commit the configuration.
    Click
    Commit
    .
    If you are configuring per-virtual system service routes for logging services for a PA-7000 Series firewall, continue to the task Configure a PA-7000 Series Firewall for Logging Per Virtual System.

Recommended For You