The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services. The path from the interface to the service on a server is known as a service route. The service packets exit the firewall on the port assigned for the external service and the server sends its response to the configured source interface and source IP address.
You can configure service routes globally for the firewall (shown in the following task) or Customize Service Routes for a Virtual System on a firewall enabled for multiple virtual systems so that you have the flexibility to use interfaces associated with a virtual system. Any virtual system that does not have a service route configured for a particular service inherits the interface and IP address that are set globally for that service.
The following procedure enables you to change the interface the firewall uses to send requests to external services.
- Customize service routes.
- Select DeviceSetupServicesGlobal (omit Global on a firewall without multiple virtual system capability), and in the Services Features section, click Service Route Configuration.
- Select Customize and
do one of the following to create a service route:
- For a predefined service:
- Select IPv4 or IPv6 and click the link for the service for which you want customize the service route.To easily use the same source address for multiple services, select the checkbox for the services, click Set Selected Routes, and proceed to the next step.
- To limit the drop-down list for Source Address, select a Source Interface; then select a Source Address (from that interface) as the service route. Selecting Any Source Interface makes all IP addresses on all interfaces available in the Source Address drop-down from which you select an address. Selecting Use default causes the firewall to use the management interface for the service route, unless the packet destination IP address matches the configured Destination IP address, in which case the source IP address is set to the Source Address configured for the Destination. Selecting MGT causes the firewall to use the MGT interface for the service route, regardless of any destination service route.
- Click OK to save the setting.
- Repeat this step if you want to specify both an IPv4 and IPv6 address for a service.
- For a destination service route:
- Select Destination and Add a Destination IP address. In this case, if a packet arrives with a destination IP address that matches this configured Destination address, then the source IP address of the packet will be set to the Source Address configured in the next step.
- To limit the drop-down list for Source Address, select a Source Interface; then select a Source Address (from that interface) as the service route. Selecting Any Source Interface makes all IP addresses on all interfaces available in the Source Address drop-down from which you select an address. Selecting MGT causes the firewall to use the MGT interface for the service route.
- Click OK to save the setting.
- Repeat the prior steps for each service route you want to customize.
- Click OK to save the service route configuration.
- Commit.Click Commit.
Destination Service Route
Destination Service Route Device > Setup > Services > Global On the Global tab, when you click on Service Route Configuration and then Customize , ...
IPv4 and IPv6 Support for Service Route Configuration
IPv4 and IPv6 Support for Service Route Configuration The following table shows IPv4 and IPv6 support for service route configurations on global and virtual systems. ...
Customize Service Routes to Services for Virtual Systems
Customize Service Routes to Services for Virtual Systems When you enable Multi Virtual System Capability, any virtual system that does not have specific service routes ...
Configure Services for Global and Virtual Systems
Configure Services for Global and Virtual Systems On a firewall where multiple virtual systems are enabled, select Services to display the Global and Virtual Systems ...
Set Up Network Access for External Services
Set Up Network Access for External Services By default, the firewall uses the MGT port to access remote services, such as DNS servers, content updates, ...
Customize Service Routes for a Virtual System
Customize Service Routes for a Virtual System When a firewall is enabled for multiple virtual systems, the virtual systems inherit the global service and service ...
Configure a DNS Server Profile
Configure a DNS Server Profile Configure a DNS Server Profile , which simplifies configuration of a virtual system. The Primary DNS or Secondary DNS address ...
IP Drop To instruct the firewall what to do with certain IP packets it receives in the zone, specify the following settings. Zone Protection Profile ...
Configure a Static Route
Configure a Static Route Perform the following task to configure Static Routes or a default route for a virtual router on the firewall. Configure a ...