IPv4 and IPv6 Support for Service Route Configuration
The following table shows IPv4 and IPv6 support for
service route configurations on global and virtual
systems.
Service Route Configuration
Settings | Global | Virtual System | ||
|---|---|---|---|---|
IPv4 | IPv6 | IPv4 | IPv6 | |
AutoFocus—AutoFocus server. | 
| — | — | — |
CRL Status—Certificate revocation list (CRL) server. |
|
| — | — |
Panorama pushed updates—Content and software
updates deployed from Panorama |
|
| — | — |
DNS—Domain Name System server. * For virtual
systems, DNS is done in the DNS Server Profile. |
|
|
* |
* |
External Dynamic Lists—Updates for external dynamic
lists. |
|
| — | — |
Email—Email server. |
|
|
|
|
HSM—Hardware security module server. |
| — | — |
|
Kerberos—Kerberos authentication server. |
| — |
|
|
LDAP—Lightweight Directory Access Protocol server. |
|
|
|
|
MDM—Mobile Device Management server. |
|
| — | — |
Multi-Factor Authentication—Multi-factor authentication
(MFA) server. |
|
|
|
|
NetFlow—NetFlow collector for collecting network
traffic statistics. Any, Use
default, and MGT are not valid
interface options for sending NetFlow records from PA-7000 Series
or PA-5200 Series firewalls.
|
|
|
|
|
NTP—Network Time Protocol server. |
|
| — | — |
Palo Alto Networks Services—Updates from
Palo Alto Networks and the public WildFire server. This is also
the service route for forwarding telemetry data to Palo Alto Networks. |
| — | — | — |
Panorama—Panorama management server. |
|
| — | — |
Panorama Log Forwarding—(PA-5200 Series
firewalls only) Log forwarding from the firewall to Log Collectors. |
|
| — | — |
Proxy—Server that is acting as Proxy to
the firewall. |
|
| — | — |
RADIUS—Remote Authentication Dial-in User Service
server. |
|
|
|
|
SCEP—Simple Certificate Enrollment Protocol for
requesting and distributing client certificates. |
|
|
| — |
SNMP Trap—Simple Network Management Protocol
trap server. |
| — |
| — |
Syslog—Server for system message logging. |
|
|
|
|
TACACS+—Terminal Access Controller Access-Control
System Plus (TACACS+) server for authentication, authorization,
and accounting (AAA) services. |
|
|
|
|
UID Agent—User-ID Agent server. |
|
| — |
|
URL Updates—Uniform Resource Locator (URL)
updates server. |
|
| — | — |
VM Monitor—Virtual Machine Monitor server. |
|
|
|
|
WildFire Private—Private Palo Alto Networks WildFire
server. |
| — | — | — |
When customizing a Global service route,
select Service Route Configuration, and on
the IPv4 or IPv6 tab,
click on a service from the list of available services, (or select
multiple services and click Set Selected Service Routes to
configure multiple service routes at once.) To limit the drop-down
list for Source Address, select a Source Interface and
then select a Source Address (from that interface).
A Source Interface that is set to Any allows
you to select a Source Address from any of the interfaces available.
The Source Address displays the IPv4 or IPv6 address assigned to
the selected interface; the selected IP address will be the source
for the service traffic. Selecting Use default causes
the firewall to use the management interface for the service route,
unless the packet destination IP address matches the configured
Destination IP address, in which case the source IP address is set
to the Source Address configured for the Destination. You do not
have to define a destination address because the destination is
configured when configuring each service. For example, when you
define your DNS servers (),
that will set the destination for DNS queries.You can specify both
an IPv4 and IPv6 address for a service.
An alternative way to customize a Global service
route is to select Service Route Configuration and
select Destination. Specify a Destination IP
address to which an incoming packet is compared. If the packet destination
address matches the configured Destination IP address, the source
IP address is set to the Source Address configured for the Destination.
To limit the drop-down list for Source Address,
select a Source Interface and then select
a Source Address (from that interface). A
Source Interface that is set to Any allows
you to select a Source Address from any of the interfaces available.
The Source Interface of MGT causes the firewall
to use the management interface for the service route.
When configuring service routes for a Virtual System,
the Inherit Global Service Route Configuration option
means that all services for the virtual system will inherit the
global service route settings. Or you can choose Customize,
select IPv4 or IPv6,
click on a service (or select multiple services and click Set
Selected Service Routes). The Source Interface has
the following three choices:
- Inherit Global Setting—The selected services will inherit the global settings for those services.
- Any—Allows you to select a Source Address from any of the interfaces available (interfaces in the specific virtual system).
- An interface from the drop-down—Limits the drop-down for Source Address to the IP addresses for this interface.
For Source Address, select an address
from the drop-down. For the services selected, the server’s responses
will be sent to this source address.