Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How To Verify If Service Routes Are Correctly Installed in Mana... - Knowledge Base - Palo Alto Networks

How To Verify If Service Routes Are Correctly Installed in Management Plane?

55370
Created On 09/25/18 19:47 PM - Last Modified 01/29/24 11:26 AM


Environment


  • PanOS 

Resolution


Details

When inside Device Tab > Services > Service Route Configuration, notice that by default, the Management Interface is used for services like DNS, NTP, or to connect to Panorama, User-ID agent and/or update the server.

Screen Shot 2014-08-14 at 14.17.32.png


The routing table 0 can be checked to see routes through management interface:

lab_PA> debug dataplane internal vif route 0 | match  "local\|eth0" ===> (to view the default route in MGMT)
local default dev lo table upstream_to_swg scope host 
default via 10.194.48.1 dev eth0 =====> Gateway IP address
10.194.48.0/20 dev eth0 proto kernel scope link src 10.194.61.69  ===> Eth0 is MGMT interface
broadcast 10.194.48.0 dev eth0 table local proto kernel scope link src 10.194.61.69 
local 10.194.61.69 dev eth0 table local proto kernel scope host src 10.194.61.69


Service routes can also be configured to use a data plane interface as a source instead of Management Interface.

Please refer to following link for detailed steps: Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Screen Shot 2014-08-14 at 14.17.18.pngScreen Shot 2014-08-14 at 14.21.23.png

 

Once these changes are committed, it might be useful to verify if the services routes have been correctly installed and are active in the Management Plane. Management Plane uses routing policy database composed of a set of routing tables matching specific criteria.

 

The routing table 250 can be checked to see routes through data plane interface:

When there are no services routes configured, table is empty.

admin@PAN-5050-243(active)> debug dataplane internal vif route 250

After committing the configuration (screenshots above), routing table has been populated:

admin@PAN-5050-243(active)> debug dataplane internal vif route 250

193.190.138.68 via 172.16.31.244 dev eth3.1  src 172.16.31.244
199.167.52.13 via 172.16.31.244 dev eth3.1  src 172.16.31.244
195.200.224.66 via 172.16.31.244 dev eth3.1  src 172.16.31.244
85.234.197.3 via 172.16.31.244 dev eth3.1  src 172.16.31.244
192.168.200.99 via 172.16.31.244 dev eth3.1  src 172.16.31.244 <<<<<<<<
10.192.16.98 via 172.16.31.244 dev eth3.1  src 172.16.31.244
85.234.197.4 via 172.16.31.244 dev eth3.1  src 172.16.31.244
8.8.8.8 via 172.16.31.244 dev eth3.1  src 172.16.31.244

 

This means that these routes are active in Management Plane.

 

 
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,831
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldQCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language