topic Re: [BUG?] EDL using wrong Service Route in General Topics

[BUG] EDL using wrong Service Route

husetech — Fri, 27 Sep 2019 12:35:10 GMT

Hello everybody!

PAN OS build 9.0.3-h3.

According to the PAN documentation the "External Dynamic Lists" (Object-> External Dynamic Lists) )are supposed to use "External Dynamic Lists Service Route" (Device-> Setup -> Services -> 'Service Route Configuration').

This doen't seem to be the case since any changes in that area have no effect for EDL.

It seems that 'URLS Updates' Service Route is responsible for any entry withing an EDL.

Changing that specific Route does fix our problem but breaks the native PAN melicoious/high risk/ bulletproof IP fetching system. Which is not the way to go.

Our EDL needs to access an internal only host. Keeping the default settings, it tries to use an external route to access the specific host. We need to change the Route to use the internal interface but without breaking the native PAN Dynamic IP Lists.

Re: [BUG] EDL using wrong Service Route

kiwi — Fri, 27 Sep 2019 11:05:39 GMT

Hi @husetech ,

Was this bug confirmed by TAC ?

Can you confirm the PAN-OS version you're currently running ?

Cheers !

-Kiwi.

Re: [BUG?] EDL using wrong Service Route

husetech — Fri, 27 Sep 2019 12:36:17 GMT

Hi @kiwi,,

no TAC has not approved this issue as BUG. I have not yet contacted TAC, What is TAC?

And I am very sorry to not have mentioned the version we are using.

We are using the latest PAN OS build 9.0.3-h3.

Re: [BUG?] EDL using wrong Service Route

aleksandar.astardzhiev — Fri, 27 Sep 2019 14:29:06 GMT

Hi @husetech,

As workaround you can try to set service route based on destination:

- Revert EDL and URL filtering service route to default

- In Setup > Services > Service route > Destination put the ip address of the server that you are using in your EDL and select the desired interface

It is important that the service route for the service (EDL, URL filtering etc) to be set on default in order for the destination service route to work.

Re: [BUG?] EDL using wrong Service Route

husetech — Mon, 30 Sep 2019 07:02:43 GMT

Worked perfectly, thank you!

So I guess it's not a bug after all but intendet to work like this..

Appriciate the help.

Best regards

husetech

Re: [BUG?] EDL using wrong Service Route

aleksandar.astardzhiev — Fri, 04 Oct 2019 14:46:02 GMT

Hi @husetech,

Well it still sounds like a bug for me. It doesn't make sense to have separate service route for EDL if it using the URL filtering route.

Me personally prefer to define any service route using the destination tab. It is bit more flexible - for example when you define two different LDAP servers reachable via different interfaces