Palo Alto Networks: Virtual Systems and Service Routes

Overview

In Palo Alto Networks' PAN-OS, Virtual Systems (VSYS) allow a single physical firewall to be partitioned into multiple logical firewalls, each with its own interfaces, security policies, and administrative control. This is particularly beneficial for managed service providers and large enterprises that require logical segmentation for different departments or customers.

Service Routes define the source interface and IP address that the firewall uses to access external services such as DNS, LDAP, RADIUS, and syslog servers. By default, the firewall uses the management (MGT) interface for these services, but service routes can be customized to use different interfaces as needed.

Per-VSYS Service Routes

When a firewall is configured with multiple virtual systems, each VSYS inherits the global service route settings by default. However, administrators can customize service routes for individual VSYS instances to meet specific requirements.

Customizing service routes per VSYS is useful in scenarios such as:

• Supporting multiple tenants with distinct external service requirements.
• Providing autonomy to different departments within an organization.
• Ensuring that traffic to external services follows specific network paths.

It's important to note that when configuring service routes for a VSYS, you select a virtual router rather than a specific egress interface. The firewall determines the egress interface based on the routing table associated with the selected virtual router.

Mermaid Sequence Diagram: Configuring Per-VSYS Service Routes

Mermaid Sequence Diagram: Traffic Flow Using Customized Service Routes

References

• Customize Service Routes for a Virtual System - Palo Alto Networks
• Customize Service Routes to Services for Virtual Systems - Palo Alto Networks
• Configure Virtual Systems - Palo Alto Networks