How to set a service route on an interface with dynamic IP

How to set a service route on an interface with dynamic IP

26290
Created On 10/17/19 02:56 AM - Last Modified 04/13/26 19:21 PM


Objective


  • If any configured services are not reachable via management interface and can only be reachable via dataplane interfaces, then one should set up a service route.
  • When one tries to configure the same, only the interfaces configured with Static IP are displayed in the list. The interfaces configured with Dynamic IP are not displayed (Example below)
  • The objective of this article is to show how to set this service route using this interface with a dynamic IP configuration.
GUI: Device > Setup > Services > Service Route Configuration
Only interfaces with static IP address are displayed

Environment


  • Palo Alto Firewall
  • Supported PAN-OS.
  • Dataplane interface with dynamic IP configuration.
  • Service route using dataplane interface

Procedure


In the Service route configuration, instead of assigning using the interface, it is possible to do it via the destination.

To do so :

  1. Go to GUI: Device> Setup>Services
  2. Click on "Service routes configuration"
  3. Click on "Customize" radio button
    Customize the service routes
  4. Click on the tab "Destination"
    Service routes by destination
  5. Click on "Add" and Enter the Destination information (IP address) and the Source Interface to use.
User-added image
Note:
  • Select "Any" - Source Interface makes all IP addresses on all interfaces available in the Source Address drop-down from which you select an address. 
  • Select "MGT" - causes the firewall to use the MGT interface for the service route.
Service route to reach 8.8.8.8
  • As displayed, the service route to reach 8.8.8.8 is sourced from the IP 10.129.128.76 which is the assigned IP address to the interface ethernet1/1
Information on the DHCP lease

 

  1. Commit the configuration.
  • To add the service route from the CLI, but only for the dataplane interface and the mgmt interface, use GUI
    admin@pa-vm# set deviceconfig system route service http source interface ethernet1/2 address 10.10.20.21/24
  • The routing table 0 can be checked to see routes through the management interface:
    lab_PA> debug dataplane internal vif route 0 | match  "local\|eth0" ===> (to view the default route in MGMT)
local default dev lo table upstream_to_swg scope host 
default via 10.194.48.1 dev eth0 =====> Gateway IP address
10.194.48.0/20 dev eth0 proto kernel scope link src 10.194.61.69  ===> Eth0 is MGMT interface
broadcast 10.194.48.0 dev eth0 table local proto kernel scope link src 10.194.61.69 
local 10.194.61.69 dev eth0 table local proto kernel scope host src 10.194.61.69 



              
Additional Information

Admin Guide
Configure Service Routes



        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PN3VCAW&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    • 
          

        
 

        

         
        

          

            
Choose Language