IPv4 and IPv6 Support for Service Route Configuration

The following table shows IPv4 and IPv6 support for service route configurations on global and virtual systems.
Service Route Configuration Settings
Global
Virtual System
IPv4
IPv6
IPv4
IPv6
AutoFocus
—AutoFocus™ server.
green-check-mark.png
CRL Status
—Certificate revocation list (CRL) server.
green-check-mark.png
green-check-mark.png
Panorama pushed updates
—Content and software updates deployed from Panorama™.
green-check-mark.png
green-check-mark.png
DNS
—Domain Name System server.
*For virtual systems, DNS is done in the DNS Server Profile.
green-check-mark.png
green-check-mark.png
green-check-mark.png *
green-check-mark.png *
External Dynamic Lists
—Updates for external dynamic lists.
green-check-mark.png
green-check-mark.png
Email
—Email server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
HSM
—Hardware security module server.
green-check-mark.png
green-check-mark.png
Kerberos
—Kerberos authentication server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
LDAP
—Lightweight Directory Access Protocol server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
MDM
—Mobile Device Management server.
green-check-mark.png
green-check-mark.png
Multi-Factor Authentication
—Multi-factor authentication (MFA) server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
NetFlow
—NetFlow collector for collecting network traffic statistics.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
NTP
—Network Time Protocol server.
green-check-mark.png
green-check-mark.png
Palo Alto Networks Services
—Updates from Palo Alto Networks® and the public WildFire® server. This is also the service route for forwarding telemetry data to Palo Alto Networks.
green-check-mark.png
Panorama
—Panorama management server.
green-check-mark.png
green-check-mark.png
Panorama Log Forwarding (
PA-5200 Series firewalls only
)
—Log forwarding from the firewall to Log Collectors.
green-check-mark.png
green-check-mark.png
Proxy
—Server that is acting as Proxy to the firewall.
green-check-mark.png
green-check-mark.png
RADIUS
—Remote Authentication Dial-in User Service server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
SCEP
—Simple Certificate Enrollment Protocol for requesting and distributing client certificates.
green-check-mark.png
green-check-mark.png
green-check-mark.png
SNMP Trap
—Simple Network Management Protocol trap server.
green-check-mark.png
green-check-mark.png
Syslog
—Server for system message logging.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
TACACS+
—Terminal Access Controller Access-Control System Plus (TACACS+) server for authentication, authorization, and accounting (AAA) services.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
UID Agent
—User-ID Agent server.
green-check-mark.png
green-check-mark.png
green-check-mark.png
URL Updates
—Uniform Resource Locator (URL) updates server.
green-check-mark.png
green-check-mark.png
VM Monitor
—Monitoring Virtual Machine information, when you have enabled Device > VM Information Sources.
VM-Series firewalls in public cloud deployments that are monitoring virtual machines, must use the MGT interface. You cannot use a dataplane interface as a service route.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
WildFire Private
—Private Palo Alto Networks WildFire server.
green-check-mark.png
When customizing a
Global
service route, select
Service Route Configuration
and, on the
IPv4
or
IPv6
tab, select a service from the list of available services; you can also select multiple services and
Set Selected Service Routes
to configure multiple service routes at once. To limit the selections in the
Source Address
drop-down, select a
Source Interface
and then a
Source Address
(from that interface). A Source Interface that is set to
Any
allows you to select a Source Address from any of the available interfaces. The Source Address displays the IPv4 or IPv6 address assigned to the selected interface and the selected IP address will be the source for the service traffic. You can
Use default
if you want the firewall to use the management interface for the service route; however, if the packet destination IP address matches the configured Destination IP address, the source IP address will be set to the Source Address configured for the Destination. You do not have to define a destination address because the destination is configured when you configure each service. For example, when you define your DNS servers (
Device
Setup
Services
), you will set the destination for DNS queries. You can specify both an IPv4 and an IPv6 address for a service.
An alternative way to customize a
Global
service route is to select
Service Route Configuration
and select
Destination
. Specify a
Destination
IP address to which an incoming packet is compared. If the packet destination address matches the configured Destination IP address, the source IP address is set to the Source Address configured for the Destination. To limit the selections in the
Source Address
drop-down, select a
Source Interface
and then select a
Source Address
(from that interface). A Source Interface that is set to
Any
allows you to select a Source Address from any of the interfaces available. The
MGT
Source Interface causes the firewall to use the management interface for the service route.
When you configure service routes for a
Virtual System
, choosing to
Inherit Global Service Route Configuration
means that all services for the virtual system will inherit the global service route settings. You can, instead, choose
Customize
, select
IPv4
or
IPv6
, and select a service; you can also select multiple services and
Set Selected Service Routes
. The
Source Interface
has the following three choices:
  • Inherit Global Setting
    —The selected services inherit the global settings for those services.
  • Any
    —Allows you to select a Source Address from any of the interfaces available (interfaces in the specific virtual system).
  • An interface from the drop-down
    —Limits the drop-down for
    Source Address
    to the IP addresses for this interface.
For
Source Address
, select an address from the drop-down. For the services selected, server responses are sent to this source address.

Related Documentation