The following procedure enables you to configure
service routes to change the
interface that the firewall uses to send requests to external services. For
firewalls in a
high availability (HA) configuration, the
service route configuration is synchronized across the HA peers
For firewalls in an
active/passive high availability (HA), the
service route you configured to leverage an external service or for log forwarding
sees activity only on the
active HA peer while the
passive HA peer sees no activity if you configured
an Ethernet interface as the
Source Interface. For example,
you configure a service route with Ethernet 1/3 as the source interface to forward
logs to
Strata Logging Service. In this scenario, all logs are forwarded from
the
active HA peer but no logs, including the system
and configuration logs, are forwarded from the
passive
HA peer. However, if you configure the MGT interface as the service route
Source Interface, activity occurs on both the
active and
passive HA
peers.
When set to default settings, certain
services (such as External Dynamic Lists and URL updates) use service
route settings that are inherited by a parent service (in this case,
Palo Alto Networks Services) if it is explicitly configured with
an interface. If the defaults are not used, Palo Alto Networks recommends
configuring each of the services that you use with an interface
to ensure that the proper service route is used.