Customize Service Routes to Services for Virtual Systems
When you enable Multi Virtual System Capability, any virtual system that does not have specific service routes configured inherits the global service and service route settings for the firewall. You can instead configure a virtual system to use a different service route, as described in the following workflow.
A firewall with multiple virtual systems must have interfaces and subinterfaces with non-overlapping IP addresses. A per-virtual system service route for SNMP traps or for Kerberos is for IPv4 only.
The service route for a service strictly follows how you configured the server profile for the service:
- If you define a server profile () for the Shared location, the firewall uses the global service route for that service.DeviceServer Profiles
- If you define a server profile for a specific virtual system, the firewall uses the virtual system-specific service route for that service.
- If you define a server profile for a specific virtual system but the virtual system-specific service route for that service is not configured, the firewall uses the global service route for that service.
The firewall supports syslog forwarding on a virtual system basis. When multiple virtual systems on a firewall are connecting to a syslog server using SSL transport, the firewall can generate only one certificate for secure communication. The firewall does not support each virtual system having its own certificate.
- Customize service routes for a virtual system.
- Select, and select the virtual system you want to configure.DeviceSetupServicesVirtual Systems
- Click theService Route Configurationlink.
- Select one:
- Inherit Global Service Route Configuration—Causes the virtual system to inherit the global service route settings relevant to a virtual system. If you choose this option, skip the step to customize.
- Customize—Allows you to specify a source address for each service.
- If you choseCustomize, select theIPv4orIPv6tab, depending on what type of addressing the server offering the service uses. You can specify both IPv4 and IPv6 addresses for a service. Click on a service. (Only services that are relevant to a virtual system are available.)To easily use the same source address for multiple services, select the checkbox for the services, clickSet Selected Routes, and continue.
- To limit the list for Source Address, select aSource Interface, then select a Source Address (from that interface) as the service route. SelectingAnySource Interface makes all IP addresses on all interfaces for the virtual system available in the Source Address list from which you select an address. You can selectInherit Global Setting.
- Source Addresswill indicateInheritedif you selectedInherit Global Settingfor theSource Interfaceor it will indicate the source address you selected. If you selectedAnyforSource Interface, select an IP address or enter an IP address (using the IPv4 or IPv6 format that matches the tab you chose) to specify the source address that will be used in packets sent to the external service.
- If you modify an address object and the IP family type (IPv4/IPv6) changes, aCommitis required to update the service route family to use.
- Repeat the prior steps to configure source addresses for other external services.
- Commit your changes.ClickCommitandOK.If you are configuring per-virtual system service routes for logging services for a PA-7000 Series firewall, continue to the task Configure a PA-7000 Series Firewall for Logging Per Virtual System.
Configure Services for Global and Virtual Systems
Configure Services for Global and Virtual Systems On a firewall where multiple virtual systems are enabled, select Services to display the Global and Virtual Systems ...
Service Routes The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks ...
IPv4 and IPv6 Support for Service Route Configuration
IPv4 and IPv6 Support for Service Route Configuration The following table shows IPv4 and IPv6 support for service route configurations on global and virtual systems. ...
Destination Service Route
Destination Service Route Device > Setup > Services > Global On the Global tab, when you click on Service Route Configuration and then Customize , ...
Customize Service Routes for a Virtual System
Customize Service Routes for a Virtual System When a firewall is enabled for multiple virtual systems, the virtual systems inherit the global service and service ...
Configure a DNS Server Profile
Configure a DNS Server Profile Configure a DNS Server Profile , which simplifies configuration of a virtual system. The Primary DNS or Secondary DNS address ...
Configure User-ID Redistribution
Configure User-ID Redistribution Before you configure User-ID redistribution: Plan the redistribution architecture. Some factors to consider are: Which firewalls will enforce policies for all users ...
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolut...
Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System In this use ...
Set Up Network Access for External Services
Set Up Network Access for External Services By default, the firewall uses the MGT interface to access remote services, such as DNS servers, content updates, ...