Customize Service Routes for a Virtual System
Customize Service Routes to Services for Virtual Systems
When you enable Multi Virtual System Capability, any virtual system that does not have specific service routes configured inherits the global service and service route settings for the firewall. You can instead configure a virtual system to use a different service route, as described in the following workflow.
The firewall supports syslog forwarding on a virtual system basis. When multiple virtual systems on a firewall are connecting to a syslog server using SSL transport, the firewall can generate only one certificate for secure communication. The firewall does not support each virtual system having its own certificate.
I
Customize Service Routes to Services Per Virtual System
Customize service routes for a virtual system. Select Device > Setup > Services > Virtual Systems, and select the virtual system you want to configure. Click the Service Route Configuration link. Select one of the radio buttons: Inherit Global Service Route Configuration —Causes the virtual system to inherit the global service route settings relevant to a virtual system. If you choose this option, skip down to step 7. Customize —Allows you to specify a source address for each service. If you chose Customize, select the IPv4 or IPv6 tab, depending on what type of addressing the server offering the service uses. You can specify both IPv4 and IPv6 addresses for a service. (Only services that are relevant to a virtual system are available.) To easily use the same source address for multiple services, select the checkbox for the services, click Set Selected Service Routes, and continue. To limit the drop-down list for Source Address, select a Source Interface, then select a Source Address (from that interface) as the service route. Selecting Any Source Interface makes all IP addresses on all interfaces for the virtual system available in the Source Address drop-down from which you select an address. You can select Inherit Global Setting. Source Address will indicate Inherited if you selected Inherit Global Setting for the Source Interface or it will indicate the source address you selected. If you selected Any for Source Interface, select an IP address from the drop-down, or enter an IP address (using the IPv4 or IPv6 format that matches the tab you chose) to specify the source address that will be used in packets sent to the external service. If you modify an address object and the IP family type (IPv4/IPv6) changes, a Commit is required to update the service route family to use. Click OK. Repeat steps 4 and 5 to configure source addresses for other external services. Click OK.
Commit the configuration. Click Commit. If you are configuring per-virtual system service routes for logging services for a PA-7000 Series firewall, continue to the task Configure a PA-7000 Series Firewall for Logging Per Virtual System.
Configure a PA-7000 Series Firewall for Logging Per Virtual System
If you have enabled multi virtual system capability on your PA-7000 Series firewall, you can configure logging for different virtual systems as described in the following workflow. For more information, see PA-7000 Series Firewall LPC Support for Per-Virtual System Paths to Logging Servers.
Configure a PA-7000 Series Firewall Subinterface for Service Routes per Virtual System
Create a Log Card subinterface. Select Network > Interfaces > Ethernet and select the interface that will be the Log Card interface. Enter the Interface Name. For Interface Type, select Log Card from the drop-down. Click OK.
Add a subinterface for each tenant on the LPCs physical interface. Highlight the Ethernet interface that is a Log Card interface type and click Add Subinterface. For Interface Name, after the period, enter the subinterface assigned to the tenant’s virtual system. For Tag, enter a VLAN tag value. Make the tag the same as the subinterface number for ease of use, but it could be a different number. (Optional) Enter a Comment. On the Config tab, in the Assign Interface to Virtual System field, select the virtual system to which the LPC subinterface is assigned (from the drop-down). Alternatively, you can click Virtual Systems to add a new virtual system. Click OK.
Enter the addresses assigned to the subinterface, and configure the default gateway. Select the Log Card Forwarding tab, and do one or both of the following: For the IPv4 section, enter the IP Address and Netmask assigned to the subinterface. Enter the Default Gateway (the next hop where packets will be sent that have no known next hop address in the Routing Information Base [RIB]). For the IPv6 section, enter the IPv6 Address assigned to the subinterface. Enter the IPv6 Default Gateway. Click OK.
Save the configuration. Click OK and Commit.
If you haven’t already done so, configure the remaining service routes for the virtual system. Customize Service Routes for a Virtual System.
Configure Administrative Access Per Virtual System or Firewall
If you have a superuser administrative account, you can create and configure granular permissions for a vsysadmin or device admin role.
Create an Admin Role Profile Per Virtual System or Firewall
Create an Admin Role Profile that grants or disables permission to an Administrator to configure or read-only various areas of the web interface. Select Device > Admin Roles and Add an Admin Role Profile. Enter a Name and optional Description of the profile. For Role, specify which level of control the profile affects: Device —The profile allows the management of the global settings and any virtual systems. Virtual System —The profile allows the management of only the virtual system(s) assigned to the administrator(s) who have this profile. (The administrator will be able to access Device > Setup > Services > Virtual Systems, but not the Global tab.) On the Web UI tab for the Admin Role Profile, scroll down to Device, and leave the green check mark (Enable). Under Device, enable Setup. Under Setup, enable the areas to which this profile will grant configuration permission to the administrator, as shown below. (The Read Only lock icon appears in the Enable/Disable rotation if Read Only is allowed for that setting.) Management —Allows an admin with this profile to configure settings on the Management tab. Operations —Allows an admin with this profile to configure settings on the Operations tab. Services —Allows an admin with this profile to configure settings on the Services tab. An admin must have Services enabled in order to access the Device > Setup Services > Virtual Systems tab. If the Role was specified as Virtual System in the prior step, Services is the only setting that can be enabled under Device > Setup. Content-ID —Allows an admin with this profile to configure settings on the Content-ID tab. WildFire —Allows an admin with this profile to configure settings on the WildFire tab. Session —Allows an admin with this profile to configure settings on the Session tab. HSM —Allows an admin with this profile to configure settings on the HSM tab. Click OK. (Optional) Repeat the entire step to create another Admin Role profile with different permissions, as necessary.
Apply the Admin role profile to an administrator. Select Device > Administrators, click Add and enter the Name to add an Administrator. (Optional) Select an Authentication Profile. (Optional) Select Use only client certificate authentication (Web) to have bi-directional authentication; to get the server to authenticate the client. Enter a Password and Confirm Password. (Optional) Select Use Public Key Authentication (SSH) if you want to use a much stronger, key-based authentication method using an SSH public key rather than just a password. For Administrator Type, select Role Based. For Profile, select the profile that you just created. (Optional) Select a Password Profile. Click OK.
Save the configuration. Click Commit and OK.

Related Documentation