Setting a Service Route for Services to Use a D...

| Palo Alto Networks Live 3/22/15, 1:32 PM

All Places > Knowledge Base > Documents

Setting a Service Route for Services to

Use a Dataplane Interface from the Web UI
and CLI Version 9

created by pchanda on Oct 23, 2013 6:37 PM, last modified by pchanda on Feb 7, 2014 9:20 AM

Overview
By default, the firewall uses management interface to communicate to various servers including DNS, Email, Palo
Alto Updates, User-ID agent, Syslog, Panorama etc. Service routes are used so that the communication between
the firewall and servers go through the dataplane.

Details
On the Web UI
Go to Device > Setup > Services > Service Route Configuration and configure the appropriate service routes.

To configure service routes for non-predefined services, the destination addresses can be manually entered, as
shown below:

https://live.paloaltonetworks.com/docs/DOC-6167 Page 1 of 4
Setting a Service Route for Services to Use a D... | Palo Alto Networks Live 3/22/15, 1:32 PM

In the example above, the service routes for 10.66.22.245 or 10.66.18.252 are configured to source from
10.66.22.88 and the management interface, respectively.

On the CLI
Run the following commands to show the options for the command, set deviceconfig system route
service:
> configure
# set deviceconfig system route service <tab or '?' key>
dns DNS server(s)
email SMTP gateway(s)
netflow Netflow server(s)
ntp NTP server(s)
paloalto-updates Palo Alto update server
panorama Panorama serve
proxy Proxy server
radius RADIUS server
snmp SNMP server(s)
syslog Syslog server(s)
uid-agent UID agent(s
url-updates URL update server
wildfire WildFire service
<value> Service name

Command to display available dataplane interfaces that can be used for a service route to receive Palo Alto
Networks updates:
# set deviceconfig system route service paloalto-updates source-address

https://live.paloaltonetworks.com/docs/DOC-6167 Page 2 of 4
Setting a Service Route for Services to Use a D... | Palo Alto Networks Live 3/22/15, 1:32 PM

10.10.10.2/24 10.10.10.2/24
10.140.59.2/30 10.140.59.2/30
10.30.14.59 mgmt 10.30.14.59
10.30.6.59/24 10.30.6.59/24
172.15.1.2/24 172.15.1.2/24
192.168.59.1/16 192.168.59.1/16
<value> Source IP address to use to reach destination

Example command to set a service route for receiving Palo Alto Networks updates using one of the available
dataplane interfaces:
# set deviceconfig system route service paloalto-updates source-address
10.140.59.2/30

Non-predefined service routes can also be configured through CLI. For example:
# set deviceconfig system route destination 10.66.22.245 source-address
10.66.22.88/23

Note: Explicit policies are required in the security rule base to log and allow trac.

Owner: pchanda

3542 Views Categories: Setup, Management & Administration

Tags: configuration, interfaces, service_routes, service_route

Average User Rating

(5 ratings)

1 Comment

MMCiobanu Aug 22, 2014 2:04 PM

this is great explanation; however, for I don't know what reason, when I try to customize the source interface
and address for DNS (using Web), I only have three option for Source Interface:
- management
- default
- any

same applies to Email, Radius, SNMP Trap.

Why does not it populate the other interfaces configured on the device?

Thanks

https://live.paloaltonetworks.com/docs/DOC-6167 Page 3 of 4
Setting a Service Route for Services to Use a D... | Palo Alto Networks Live 3/22/15, 1:32 PM

Like (0)

1.866.320.4788 Privacy Policy Legal Notices Site Index Subscriptions

Copyright 2007-2013 Palo Alto Networks

Home | Top of page | About Jive | Help 2007-2012 Jive Software |

https://live.paloaltonetworks.com/docs/DOC-6167 Page 4 of 4