When a firewall is enabled for multiple virtual systems,
the virtual systems inherit the global service and service route settings.
For example, the firewall can use a shared email server to originate
email alerts to all virtual systems. In some scenarios, you’d want
to create different service routes for each virtual system.
One use case for configuring service routes at the virtual system
level is if you are an ISP who needs to support multiple individual
tenants on a single Palo Alto Networks firewall. Each tenant requires
custom service routes to access service such as DNS, Kerberos, LDAP,
NetFlow, RADIUS, TACACS+, Multi-Factor Authentication, email, SNMP
trap, syslog, HTTP, User-ID Agent, VM Monitor, and Panorama (deployment
of content and software updates). Another use case is an IT organization
that wants to provide full autonomy to groups that set servers for
services. Each group can have a virtual system and define its own
service routes.