IPv4 and IPv6 Support for Service Route Configuration

The following table shows IPv4 and IPv6 support for service route configurations on global and virtual
systems.
Service Route Configuration Settings
Global
Virtual System
IPv4
IPv6
IPv4
IPv6
AutoFocus—AutoFocus server.
green-check-mark.png
CRL Status—Certificate revocation list (CRL) server.
green-check-mark.png
green-check-mark.png
Panorama pushed updates—Content and software updates deployed from Panorama
green-check-mark.png
green-check-mark.png
DNS—Domain Name System server. * For virtual systems, DNS is done in the DNS Server Profile.
green-check-mark.png
green-check-mark.png
green-check-mark.png *
green-check-mark.png *
External Dynamic Lists—Updates for external dynamic lists.
green-check-mark.png
green-check-mark.png
Email—Email server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
HSM—Hardware security module server.
green-check-mark.png
green-check-mark.png
Kerberos—Kerberos authentication server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
LDAP—Lightweight Directory Access Protocol server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
MDM—Mobile Device Management server.
green-check-mark.png
green-check-mark.png
Multi-Factor Authentication—Multi-factor authentication (MFA) server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
NetFlow—NetFlow collector for collecting network traffic statistics.
Any, Use default, and MGT are not valid interface options for sending NetFlow records from PA-7000 Series or PA-5200 Series firewalls.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
NTP—Network Time Protocol server.
green-check-mark.png
green-check-mark.png
Palo Alto Networks Services—Updates from Palo Alto Networks and the public WildFire server. This is also the service route for forwarding telemetry data to Palo Alto Networks.
green-check-mark.png
Panorama—Panorama management server.
green-check-mark.png
green-check-mark.png
Panorama Log Forwarding—(PA-5200 Series firewalls only) Log forwarding from the firewall to Log Collectors.
green-check-mark.png
green-check-mark.png
Proxy—Server that is acting as Proxy to the firewall.
green-check-mark.png
green-check-mark.png
RADIUS—Remote Authentication Dial-in User Service server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
SCEP—Simple Certificate Enrollment Protocol for requesting and distributing client certificates.
green-check-mark.png
green-check-mark.png
green-check-mark.png
SNMP Trap—Simple Network Management Protocol trap server.
green-check-mark.png
green-check-mark.png
Syslog—Server for system message logging.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
TACACS+—Terminal Access Controller Access-Control System Plus (TACACS+) server for authentication, authorization, and accounting (AAA) services.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
UID Agent—User-ID Agent server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
URL Updates—Uniform Resource Locator (URL) updates server.
green-check-mark.png
green-check-mark.png
VM Monitor—Virtual Machine Monitor server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
WildFire Private—Private Palo Alto Networks WildFire server.
green-check-mark.png
When customizing a Global service route, select Service Route Configuration, and on the IPv4 or IPv6 tab, click on a service from the list of available services, (or select multiple services and click Set Selected Service Routes to configure multiple service routes at once.) To limit the drop-down list for Source Address, select a Source Interface and then select a Source Address (from that interface). A Source Interface that is set to Any allows you to select a Source Address from any of the interfaces available. The Source Address displays the IPv4 or IPv6 address assigned to the selected interface; the selected IP address will be the source for the service traffic. Selecting Use default causes the firewall to use the management interface for the service route, unless the packet destination IP address matches the configured Destination IP address, in which case the source IP address is set to the Source Address configured for the Destination. You do not have to define a destination address because the destination is configured when configuring each service. For example, when you define your DNS servers (DeviceSetupServices), that will set the destination for DNS queries.You can specify both an IPv4 and IPv6 address for a service.
An alternative way to customize a Global service route is to select Service Route Configuration and select Destination. Specify a Destination IP address to which an incoming packet is compared. If the packet destination address matches the configured Destination IP address, the source IP address is set to the Source Address configured for the Destination. To limit the drop-down list for Source Address, select a Source Interface and then select a Source Address (from that interface). A Source Interface that is set to Any allows you to select a Source Address from any of the interfaces available. The Source Interface of MGT causes the firewall to use the management interface for the service route.
When configuring service routes for a Virtual System, the Inherit Global Service Route Configuration option means that all services for the virtual system will inherit the global service route settings. Or you can choose Customize, select IPv4 or IPv6, click on a service (or select multiple services and click Set Selected Service Routes). The Source Interface has the following three choices:
  • Inherit Global Setting—The selected services will inherit the global settings for those services.
  • Any—Allows you to select a Source Address from any of the interfaces available (interfaces in the specific virtual system).
  • An interface from the drop-down—Limits the drop-down for Source Address to the IP addresses for this interface.
For Source Address, select an address from the drop-down. For the services selected, the server’s responses will be sent to this source address.

Related Documentation