IPv4 and IPv6 Support for Service Route Configuration
Table of Contents
Expand all | Collapse all
-
- Firewall Overview
- Features and Benefits
- Last Login Time and Failed Login Attempts
- Message of the Day
- Task Manager
- Language
- Alarms
- Commit Changes
- Save Candidate Configurations
- Revert Changes
- Lock Configurations
- Global Find
- Threat Details
- AutoFocus Intelligence Summary
- Configuration Table Export
- Change Boot Mode
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Packet Broker Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > Interfaces > PoE
- Network > Interfaces > Cellular
- Network > Interfaces > Fail Open
- Network > VLANs
- Network > Virtual Wires
-
- Network > Routing > Logical Routers > General
- Network > Routing > Logical Routers > Static
- Network > Routing > Logical Routers > OSPF
- Network > Routing > Logical Routers > OSPFv3
- Network > Routing > Logical Routers > RIPv2
- Network > Routing > Logical Routers > BGP
- Network > Routing > Logical Routers > Multicast
-
- Network > Routing > Routing Profiles > BGP
- Network > Routing > Routing Profiles > BFD
- Network > Routing > Routing Profiles > OSPF
- Network > Routing > Routing Profiles > OSPFv3
- Network > Routing > Routing Profiles > RIPv2
- Network > Routing > Routing Profiles > Filters
- Network > Routing > Routing Profiles > Multicast
- Network > Proxy
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
- Network > Network Profiles > MACsec Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > ACE
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > IoT Security > DHCP Server Log Ingestion
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > SCP
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation > IoT
- Device > Policy > Recommendation SaaS
- Device > Policy Recommendation > IoT or SaaS > Import Policy Rule
-
- Device > User Identification > Connection Security
- Device > User Identification > Terminal Server Agents
- Device > User Identification > Group Mapping Settings
- Device > User Identification> Trusted Source Address
- Device > User Identification > Authentication Portal Settings
- Device > User Identification > Cloud Identity Engine
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Firewall Clusters
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
- Panorama > Device Registration Auth Key
IPv4 and IPv6 Support for Service Route Configuration
The following table shows IPv4 and IPv6 support for
service route configurations on global and virtual systems.
Service Route Configuration
Settings | Global | Virtual System | ||
---|---|---|---|---|
IPv4 | IPv6 | IPv4 | IPv6 | |
AutoFocus—AutoFocus™ server. | — | — | — | |
CRL Status—Certificate revocation
list (CRL) server. | — | — | ||
Data Services— Send data to Palo
Alto Networks cloud services from the firewall dataplane. Optimized
for faster data transfer and prevents data loss. Required
for IoT security, Enterprise DLP, and SaaS Security. | ||||
DDNS—Dynamic DNS service. | ||||
Panorama pushed updates—Content and software
updates deployed from Panorama™. | — | — | ||
DNS—Domain Name System server. *For
virtual systems, DNS is done in the DNS Server Profile. | ||||
External Dynamic Lists—Updates for external
dynamic lists. | — | — | ||
Email—Email server. | ||||
HSM—Hardware security module server. | — | — | ||
HTTP—HTTP forwarding. | ||||
Kerberos—Kerberos authentication
server. | — | |||
LDAP—Lightweight Directory Access
Protocol server. | ||||
MDM—Mobile Device Management server. | — | — | ||
Multi-Factor Authentication—Multi-factor authentication
(MFA) server. | ||||
NetFlow—NetFlow collector for collecting network
traffic statistics. | ||||
NTP—Network Time Protocol server. | — | — | ||
Palo Alto Networks Services—Updates from Palo Alto Networks® and the public WildFire®
server. This is also the service route for forwarding pre-10.0
telemetry data to Palo Alto Networks. (Current telemetry
support forwards its data to Strata Logging Service. This
service route is not used in that case.) | — | — | — | |
Panorama—Panorama management server. | — | — | ||
Panorama Log Forwarding (PA-5200
Series firewalls only)—Log forwarding from the firewall
to Log Collectors. | — | — | ||
Proxy—Server that is acting as Proxy
to the firewall. | — | — | ||
RADIUS—Remote Authentication Dial-in User
Service server. | ||||
SCEP—Simple Certificate Enrollment
Protocol for requesting and distributing client certificates. | — | |||
SNMP Trap—Simple Network Management Protocol
trap server. | — | — | ||
Syslog—Server for system message
logging. | ||||
TACACS+—Terminal Access Controller Access-Control
System Plus (TACACS+) server for authentication, authorization,
and accounting (AAA) services. | ||||
UID Agent—User-ID Agent server. | — | |||
URL Updates—Uniform Resource Locator (URL)
updates server. | — | — | ||
VM Monitor—Monitoring Virtual Machine information,
when you have enabled Device
> VM Information Sources. VM-Series firewalls
in public cloud deployments that are monitoring virtual machines,
must use the MGT interface. You cannot use a dataplane interface
as a service route. | ||||
WildFire Private—Private Palo Alto Networks
WildFire server. | — | — | — |
When customizing a Global service route,
select Service Route Configuration and, on
the IPv4 or IPv6 tab,
select a service from the list of available services; you can also
select multiple services and Set Selected Service Routes to
configure multiple service routes at once. To limit the selections
in the Source Address drop-down, select a Source
Interface and then a Source Address (from
that interface). A Source Interface that is set to Any allows
you to select a Source Address from any of the available interfaces.
The Source Address displays the IPv4 or IPv6 address assigned to
the selected interface and the selected IP address will be the source
for the service traffic. You can Use default if
you want the firewall to use the management interface for the service
route; however, if the packet destination IP address matches the
configured Destination IP address, the source IP address will be
set to the Source Address configured for the Destination. You do
not have to define a destination address because the destination
is configured when you configure each service. For example, when
you define your DNS servers (DeviceSetupServices),
you will set the destination for DNS queries. You can specify both
an IPv4 and an IPv6 address for a service.
An alternative way to customize a Global service
route is to select Service Route Configuration and
select Destination. Specify a Destination IP
address to which an incoming packet is compared. If the packet destination
address matches the configured Destination IP address, the source
IP address is set to the Source Address configured for the Destination.
To limit the selections in the Source Address drop-down,
select a Source Interface and then select
a Source Address (from that interface). A
Source Interface that is set to Any allows
you to select a Source Address from any of the interfaces available.
The MGT Source Interface causes the firewall
to use the management interface for the service route.
When you configure service routes for a Virtual System,
choosing to Inherit Global Service Route Configuration means
that all services for the virtual system will inherit the global
service route settings. You can, instead, choose Customize, select IPv4 or IPv6,
and select a service; you can also select multiple services and Set
Selected Service Routes. The Source Interface has
the following three choices:
- Inherit Global Setting—The selected services inherit the global settings for those services.
- Any—Allows you to select a Source Address from any of the interfaces available (interfaces in the specific virtual system).
- An interface from the drop-down—Limits the drop-down for Source Address to the IP addresses for this interface.
For Source Address, select an address
from the drop-down. For the services selected, server responses
are sent to this source address.