Device > Setup > Services

Configure Services for Global and Virtual Systems Global Services Settings IPv4 and IPv6 Support for Service Route Configuration Settings Destination Service Route

Configure Services for Global and Virtual Systems

On a firewall where multiple virtual systems are enabled, select Services to display the Global and Virtual Systems tabs where you set services that the firewall or its virtual systems, respectively, use to operate efficiently. (If the firewall is a single virtual system or if multiple virtual systems are disabled, there are not two tabs, but just a Services menu.)

Select Global to set services for the whole firewall. These settings are also used as the default values for virtual systems that do not have a customized setting for a service.

Edit Services to define the destination IP addresses of DNS servers, the Update Server, and the Proxy Server. Use the dedicated NTP tab to configure Network Time Protocol settings. See Table 12 for field descriptions of the available Services options. In Service Features, click Service Route Configuration to specify how the firewall will communicate with other servers/devices for services such as DNS, email, LDAP, RADIUS, syslog, and many more. There are two ways to configure global service routes: The Use Management Interface for all option will force all firewall service communications with external servers through the management interface (MGT). If you select this option, you must configure the MGT interface to allow communications between the firewall and the servers/devices that provide services. To configure the MGT interface, select Device > Setup > Management and edit the Management Interface Settings. The Customize option allows you granular control over service communication by configuring a specific source interface and IP address that the service will use as the destination interface and destination IP address in its response. (For example, you could configure a specific source IP/ interface for all email communication between the firewall and an email server, and use a different source IP/interface for Palo Alto Updates.) Select the one or more services you want to customize to have the same settings and click Set Selected Service Routes. The services are listed in Table 13, which indicates whether a service can be configured for the Global firewall or Virtual Systems, and whether the service supports an IPv4 and/or IPv6 source address.

The Destination tab is another Global service route feature that you can customize. This tab appears in the Service Route Configuration window and is described in Destination Service Route.

Use the Virtual Systems tab to specify service routes for a single virtual system. Select a Location (virtual system) and click Service Route Configuration. Select Inherit Global Service Route Configuration or Customize service routes for a virtual system

. If you choose to customize settings, select IPv4 or IPv6. Select the one or more services you want to customize to have the same settings and click Set Selected Service Routes. See Table 13 for services that can be customized.

Global Services Settings

To control and redirect DNS queries between shared and specific virtual systems, you can use a DNS proxy

and a DNS Server profile

Global Services Setting	Description
Services
DNS	Choose the type of DNS service— Server or DNS Proxy Object. This setting is used for all DNS queries that the firewall initiated in support of FQDN address objects, logging, and firewall management. Options include: Primary and secondary DNS servers to provide domain name resolution. A DNS proxy that has been configured on the firewall is an alternative to configuring DNS servers.
Primary DNS Server	Enter the IP address of the primary DNS server. The server is used for DNS queries from the firewall, for example, to find the update server, to resolve DNS entries in logs, or for FDQN-based address objects.
Secondary DNS Server	Enter the IP address of a secondary DNS server to use if the primary server is unavailable (optional).
Update Server	This setting represents the IP address or host name of the server used to download updates from Palo Alto Networks. The current value is updates.paloaltonetworks.com. Do not change the server name unless instructed by technical support.
Verify Update Server Identity	If this option is enabled, the firewall or Panorama will verify that the server from which the software or content package is download has an SSL certificate signed by a trusted authority. This option adds an additional level of security for the communication between the firewall/Panorama server and the update server.
Proxy Server section
Server	If the firewall needs to use a proxy server to reach Palo Alto Networks update services, enter the IP address or host name of the server.
Port	Enter the port for the proxy server.
User	Enter the user name to access the server.
Password/Confirm Password	Enter and confirm the password for the user to access the proxy server.
NTP
NTP Server Address	Enter the IP address or hostname of an NTP server that you want to use to synchronize the firewall’s clock. Optionally enter the IP address or hostname of a second NTP server to synchronize the firewall’s clock with if the primary server becomes unavailable.
Authentication Type	You can enable the firewall to authenticate time updates from an NTP server. For each NTP server, select the type of authentication for the firewall to use: None —(Default) Select this option to disable NTP Authentication. Symmetric Key —Select this option for the firewall to use symmetric key exchange (shared secrets) to authenticate the NTP server’s time updates. If you select Symmetric Key, continue by entering the following fields: Key ID —Enter the Key ID (1- 65534). Algorithm —Select the Algorithm to use in NTP authentication (MD5 or SHA1). Authentication Key/Confirm Authentication Key —Enter and confirm the authentication algorithm’s authentication key. Autokey —Select this option for the firewall to use autokey (public key cryptography) to authenticate the NTP server’s time updates.

IPv4 and IPv6 Support for Service Route Configuration Settings

The following table shows IPv4 and IPv6 support for service route configurations on global and virtual systems.

Service Route Configuration Setting	Global	Virtual System
IPv4	IPv6	IPv4	IPv6
CRL Status—Certificate revocation list (CRL) server.			—	—
DNS—Domain Name System server. * For virtual systems, DNS is done in the DNS Server Profile.			*	*
Email—Email server.
HSM—Hardware security module server.		—	—	—
Kerberos—Kerberos authentication server.		—		—
LDAP—Lightweight Directory Access Protocol server.
MDM—Mobile Device Management server.			—	—
Netflow—Netflow server for collecting network traffic statistics.
NTP—Network Time Protocol server.			—	—
Palo Alto Updates—Updates from Palo Alto Networks.		—	—	—
Panorama—Palo Alto Networks Panorama server.			—	—
Proxy—Server that is acting as Proxy to the firewall.			—	—
RADIUS—Remote Authentication Dial-in User Service server.
SCEP—Simple Certificate Enrollment Protocol for requesting and distributing client certificates.			—	—
SNMP Trap—Simple Network Management Protocol trap server.		—		—
Syslog—Server for system message logging.
Tacplus—Terminal Access Controller Access-Control System Plus (TACACS+) server for authentication, authorization, and accounting (AAA) services.
UID Agent—User-ID Agent server.
URL Updates—Uniform Resource Locator (URL) updates server.			—	—
VM Monitor—Virtual Machine Monitor server.
WildFire Private—Private Palo Alto Networks WildFire server.		—	—	—
WildFire Public—Public Palo Alto Networks WildFire server.		—	—	—

When customizing a Global service route, on either the IPv4 or IPv6 tab, select from the list of available services, click Set Selected Service Routes, and select the Source Interface and Source Address from the drop-down. A Source Interface that is set to Any allows you to select a Source Address from any of the interfaces available. The Source Address displays the IPv4 or IPv6 address assigned to the selected interface; the selected IP address will be the source for the service traffic. You do not have to define a destination address because the destination is configured when configuring each service. For example, when you define your DNS servers ( Device > Setup > Services), that will set the destination for DNS queries.

When configuring service routes for a Virtual System, the Inherit Global Service Route Configuration option means that all services for the virtual system will inherit the global service route settings. Or you can choose Customize, select IPv4 or IPv6, select a service, and click Set Selected Service Routes. The Source Interface has the following three choices:

Inherit Global Setting —The selected services will inherit the global settings for those services. Any —Allows you to select a Source Address from any of the interfaces available (interfaces in the specific virtual system). An interface from the drop-down—For the services being configured, the server’s responses will be sent to the selected interface because that was the source interface.

For Source Address, select an address from the drop-down. For the services selected, the server’s responses will be sent to this source address.

Destination Service Route

Device > Setup > Services > Global

Returning to the Global tab, when you click on Service Route Configuration and then Customize, the Destination tab appears. Destination service routes are available under the Global tab only (not the Virtual Systems tab), so that the service route for an individual virtual system cannot override route table entries that are not associated with that virtual system.

A destination service route can be used to add a customized redirection of a service that is not supported on the Customize list of services (Table 13). A destination service route is a way to set up routing to override the forwarding information base (FIB) route table. Any settings in the Destination service routes override the route table entries. They could be related or unrelated to any service.

The Destination tab is for the following use cases:

When a service does not have an application service route. Within a single virtual system, when you want to use multiple virtual routers or a combination of virtual router and management port.

The following table describes the destination service route settings.

Destination Service Route Setting	Description
Destination	Enter the Destination IP address.
Source Interface	Select the Source Interface that will be used for packets returning from the destination.
Source Address	Select the Source Address that will be used for packets returning from the destination. You do not need to enter the subnet for the destination address.

Document:PAN-OS® Web Interface Reference Guide

Device > Setup > Services

Related Documentation

Document:PAN-OS® Web Interface Reference Guide

Device > Setup > Services

Related Documentation

Use Cases for Service Routes for a Virtual System

Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System

Configure a DNS Server Profile

Device > Server Profiles > DNS

Service Routes for Virtual Systems

Use Case 3: Firewall Acts as DNS Proxy Between Client and Server

DNS Server Profile

Set Up Network Access for External Services

Multi-Tenant DNS Deployments

Network > DNS Proxy