Setting a Service Route for Services to Use a Dataplane's Interface from the Web UI and CLI
Symptom
The path from the interface to the service on a server is known as a service route. By default, the firewall uses the management interface to communicate to various servers, including DNS, Email, Palo Alto Updates, User-ID agent, Syslog, Panorama, dynamic updates, URL updates, licenses, and AutoFocus. etc.
Sometimes, it is necessary to use an alternative path other than Firewall management IP due to many restrictions.
Some of them are, the management interface doesn't have clear access to the public internet( mgmt can only be accessed from the rust network), the connection is slow, or only selective services need to be configured by an alternative path.
Environment
- PAN-OS
- Service route
Cause
Sometimes, it is necessary to use an alternative path other than Firewall management IP due to many restrictions. Some of them are, the management interface needs clear access to the public internet( mgmt can only be accessed from the rust network), the connection needs to be faster, or only selective services need to be configured by an alternative path.
This is useful for DNS queries to avoid the known issue of when suspicious DNS Queries are sourced from the Management IP of the Firewall or Panorama.
Resolution
Additional Information
Depending on the code version on Firewall, the output of command set deviceconfig system route service may list different services.