Setting a Service Route for Services to Use a Dataplane's Interface from the Web UI and CLI
Symptom
The path from the interface to the service on a server is known as a service route. By default, the firewall uses the management interface to communicate to various servers, including DNS, Email, Palo Alto Updates, User-ID agent, Syslog, Panorama, dynamic updates, URL updates, licenses, and AutoFocus. etc.
Sometimes, it is necessary to use an alternative path other than Firewall management IP due to many restrictions.
Some of them are, the management interface doesn't have clear access to the public internet( mgmt can only be accessed from the rust network), the connection is slow, or only selective services need to be configured by an alternative path.
Environment
- PAN-OS
- Service route
Cause
Sometimes, it is necessary to use an alternative path other than Firewall management IP due to many restrictions. Some of them are, the management interface needs clear access to the public internet( mgmt can only be accessed from the rust network), the connection needs to be faster, or only selective services need to be configured by an alternative path.
This is useful for DNS queries to avoid the known issue of when suspicious DNS Queries are sourced from the Management IP of the Firewall or Panorama.
Resolution
GUI:
Use Device > Setup > Services > Service Route Configuration > Customize and configure the appropriate service routes.
To configure service routes for non-predefined services, the destination addresses can be manually entered in the Destination section:
In the example above, the service routes for 192.168.27.33 and 192.168.27.34 are configured to source from 192.168.27.254 on a dataplane interface and the management interface, respectively.
On the CLI
Run the command set deviceconfig system route service to show the options for the command.
> configure
# set deviceconfig system route service
autofocus AutoFocus Cloud
crl-status CRL servers
deployments Panorama pushed updates
dns DNS server(s)
edl-updates External Dynamic List update server
email SMTP gateway(s)
hsm Hardware Security Module server(s)
http HTTP Forwarding server(s)
kerberos Kerberos server
ldap LDAP server
mdm MDM servers
mfa Multi-Factor Authentication
netflow Netflow server(s)
ntp NTP server(s)
paloalto-networks-services Palo Alto Networks Services
panorama Panorama server
proxy Proxy server
radius RADIUS server
scep SCEP
snmp SNMP server(s)
syslog Syslog server(s)
tacplus TACACS+ server
uid-agent UID agent(s)
url-updates URL update server
vmmonitor VM monitor
wildfire-private WildFire Appliance
<value> Service name
Select the service and source address. Example given below. The source address listed is the address configured on the dataplane interfaces.
# set deviceconfig system route service paloalto-networks-services source address
10.0.0.1/24 ip 10.0.0.1/24
172.16.0.1/24 ip 172.16.0.1/24
192.168.0.230/24 ip 192.168.0.230/24
192.168.27.254/24 ip 192.168.27.254/24
192.168.27.5 mgmt 192.168.27.5
198.51.100.1/24 ip 198.51.100.1/24
<value> Source IP address to use to reach destination
Example command to set a service route for receiving Palo Alto Networks updates using one of the available dataplane interfaces:
# set deviceconfig system route service paloalto-networks-services source address 198.51.100.1/24
Non-predefined service routes can also be configured through CLI. For example:
# set deviceconfig system route destination 192.168.27.33 source address 192.168.27.254/24
Note: Explicit policies are required in the security rules to log and allow traffic.
Additional Information
Depending on the code version on Firewall, the output of command set deviceconfig system route service may list different services.