This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

[BUG] EDL using wrong Service Route

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

[BUG] EDL using wrong Service Route

Go to solution
husetech
L2 Linker

‎09-26-2019 11:25 PM - edited ‎09-27-2019 05:35 AM

Hello everybody!

PAN OS build 9.0.3-h3.

 

According to the PAN documentation the "External Dynamic Lists" (Object-> External Dynamic Lists) )are supposed to use "External Dynamic Lists Service Route" (Device-> Setup -> Services -> 'Service Route Configuration').

PA_ServiceRoute_EDL.PNG

 

This doen't seem to be the case since any changes in that area have no effect for EDL.

It seems that 'URLS Updates' Service Route is responsible for any entry withing an EDL.

PA_ServiceRoute_URL_Updates.PNG

 

Changing that specific Route does fix our problem but breaks the native PAN melicoious/high risk/ bulletproof IP fetching system. Which is not the way to go.

PA_ExternalListsO365.PNG

 

Our EDL needs to access an internal only host. Keeping the default settings, it tries to use an external route to access the specific host. We need to change the Route to use the internal interface but without breaking the native PAN Dynamic IP Lists.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to husetech

‎09-27-2019 07:29 AM

Hi @husetech,

 

As workaround you can try to set service route based on destination:

- Revert EDL and URL filtering service route to default

- In Setup > Services > Service route > Destination put the ip address of the server that you are using in your EDL and select the desired interface

 

It is important that the service route for the service (EDL, URL filtering etc) to be set on default in order for the destination service route to work.

 

 

 

View solution in original post

5 REPLIES 5

Go to solution
kiwi
Community Team Member

‎09-27-2019 04:05 AM

Hi @husetech ,

 

Was this bug confirmed by TAC ?

Can you confirm the PAN-OS version you're currently running ?

 

Cheers !

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
husetech
L2 Linker
In response to kiwi

‎09-27-2019 05:34 AM - edited ‎09-27-2019 05:36 AM

Hi @kiwi,,

 

no TAC has not approved this issue as BUG. I have not yet contacted TAC, What is TAC?

And I am very sorry to not have mentioned the version we are using.

We are using the latest PAN OS build 9.0.3-h3.

0 Likes Likes

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to husetech

‎09-27-2019 07:29 AM

Hi @husetech,

 

As workaround you can try to set service route based on destination:

- Revert EDL and URL filtering service route to default

- In Setup > Services > Service route > Destination put the ip address of the server that you are using in your EDL and select the desired interface

 

It is important that the service route for the service (EDL, URL filtering etc) to be set on default in order for the destination service route to work.

 

 

 

Go to solution
husetech
L2 Linker
In response to aleksandar.astardzhiev

‎09-30-2019 12:02 AM

Worked perfectly, thank you!

So I guess it's not a bug after all but intendet to work like this..

Appriciate the help.

 

Best regards

husetech

0 Likes Likes

Go to solution
aleksandar.astardzhiev
Cyber Elite
Cyber Elite
In response to husetech

‎10-04-2019 07:46 AM

Hi @husetech,

Well it still sounds like a bug for me. It doesn't make sense to have separate service route for EDL if it using the URL filtering route.

 

Me personally prefer to define any service route using the destination tab. It is bit more flexible - for example when you define two different LDAP servers reachable via different interfaces

 

 

0 Likes Likes
  • 1 accepted solution
  • 5742 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks