[BUG] EDL using wrong Service Route

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

[BUG] EDL using wrong Service Route

L2 Linker

Hello everybody!

PAN OS build 9.0.3-h3.

 

According to the PAN documentation the "External Dynamic Lists" (Object-> External Dynamic Lists) )are supposed to use "External Dynamic Lists Service Route" (Device-> Setup -> Services -> 'Service Route Configuration').

PA_ServiceRoute_EDL.PNG

 

This doen't seem to be the case since any changes in that area have no effect for EDL.

It seems that 'URLS Updates' Service Route is responsible for any entry withing an EDL.

PA_ServiceRoute_URL_Updates.PNG

 

Changing that specific Route does fix our problem but breaks the native PAN melicoious/high risk/ bulletproof IP fetching system. Which is not the way to go.

PA_ExternalListsO365.PNG

 

Our EDL needs to access an internal only host. Keeping the default settings, it tries to use an external route to access the specific host. We need to change the Route to use the internal interface but without breaking the native PAN Dynamic IP Lists.

1 accepted solution

Accepted Solutions

Hi @husetech,

 

As workaround you can try to set service route based on destination:

- Revert EDL and URL filtering service route to default

- In Setup > Services > Service route > Destination put the ip address of the server that you are using in your EDL and select the desired interface

 

It is important that the service route for the service (EDL, URL filtering etc) to be set on default in order for the destination service route to work.

 

 

 

View solution in original post

5 REPLIES 5

Community Team Member

Hi @husetech ,

 

Was this bug confirmed by TAC ?

Can you confirm the PAN-OS version you're currently running ?

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @kiwi,,

 

no TAC has not approved this issue as BUG. I have not yet contacted TAC, What is TAC?

And I am very sorry to not have mentioned the version we are using.

We are using the latest PAN OS build 9.0.3-h3.

Hi @husetech,

 

As workaround you can try to set service route based on destination:

- Revert EDL and URL filtering service route to default

- In Setup > Services > Service route > Destination put the ip address of the server that you are using in your EDL and select the desired interface

 

It is important that the service route for the service (EDL, URL filtering etc) to be set on default in order for the destination service route to work.

 

 

 

Worked perfectly, thank you!

So I guess it's not a bug after all but intendet to work like this..

Appriciate the help.

 

Best regards

husetech

Hi @husetech,

Well it still sounds like a bug for me. It doesn't make sense to have separate service route for EDL if it using the URL filtering route.

 

Me personally prefer to define any service route using the destination tab. It is bit more flexible - for example when you define two different LDAP servers reachable via different interfaces

 

 

  • 1 accepted solution
  • 5183 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!