Palo Alto Networks Knowledgebase: Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

42287

Created On 09/25/18 17:30 PM - Last Updated 08/02/19 03:09 AM

Service Route Network Integration PAN-OS

Environment

PAN-OS
Service route

Cause
By default, the firewall uses management interface to communicate to various servers including DNS, Email, Palo Alto Updates, User-ID agent, Syslog, Panorama etc. The article explains how to configure service route to use non management dataplane port to reach these services.

Resolution

GUI:

Use Device > Setup > Services > Service Route Configuration > Customize and configure the appropriate service routes.

service route configuration.png

To configure service routes for non-predefined services, the destination addresses can be manually entered in the Destination section:

destination service route.png

In the example above, the service routes for 192.168.27.33 and 192.168.27.34 are configured to source from 192.168.27.254 on a dataplane interface and the management interface, respectively.

On the CLI

Run the command set deviceconfig system route service to show the options for the command.

> configure
# set deviceconfig system route service
  autofocus                    AutoFocus Cloud
  crl-status                   CRL servers
  deployments                  Panorama pushed updates
  dns                          DNS server(s)
  edl-updates                  External Dynamic List update server
  email                        SMTP gateway(s)
  hsm                          Hardware Security Module server(s)
  http                         HTTP Forwarding server(s)
  kerberos                     Kerberos server
  ldap                         LDAP server
  mdm                          MDM servers
  mfa                          Multi-Factor Authentication
  netflow                      Netflow server(s)
  ntp                          NTP server(s)
  paloalto-networks-services   Palo Alto Networks Services
  panorama                     Panorama server
  proxy                        Proxy server
  radius                       RADIUS server
  scep                         SCEP
  snmp                         SNMP server(s)
  syslog                       Syslog server(s)
  tacplus                      TACACS+ server
  uid-agent                    UID agent(s)
  url-updates                  URL update server
  vmmonitor                    VM monitor
  wildfire-private             WildFire Appliance
  <value>                      Service name

Select the service and source address. Example given below. The source address listed is the address configured on the dataplane interfaces.

# set deviceconfig system route service paloalto-networks-services source address 
  10.0.0.1/24         ip 10.0.0.1/24
  172.16.0.1/24       ip 172.16.0.1/24
  192.168.0.230/24    ip 192.168.0.230/24
  192.168.27.254/24   ip 192.168.27.254/24
  192.168.27.5        mgmt 192.168.27.5
  198.51.100.1/24     ip 198.51.100.1/24
  <value>             Source IP address to use to reach destination

Example command to set a service route for receiving Palo Alto Networks updates using one of the available dataplane interfaces:

# set deviceconfig system route service paloalto-networks-services source address 198.51.100.1/24

Non-predefined service routes can also be configured through CLI. For example:

# set deviceconfig system route destination 192.168.27.33 source address 192.168.27.254/24

Note: Explicit policies are required in the security rules to log and allow traffic.

Additional Information
Depending on the code version on Firewall, the output of command set deviceconfig system route service may list different services.

Attachments

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Other users also viewed: