Focus

Configure Service Routes

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Service Routes Overview

Static Routes

Configure Service Routes

The following procedure enables you to configure service routes to change the interface that the firewall uses to send requests to external services. For firewalls in a high availability (HA) configuration, the service route configuration is synchronized across the HA peers

For firewalls in an active/passive high availability (HA), the service route you configured to leverage an external service or for log forwarding sees activity only on the active HA peer while the passive HA peer sees no activity if you configured an Ethernet interface as the Source Interface. For example, you configure a service route with Ethernet 1/3 as the source interface to forward logs to Strata Logging Service. In this scenario, all logs are forwarded from the active HA peer but no logs, including the system and configuration logs, are forwarded from the passive HA peer. However, if you configure the MGT interface as the service route Source Interface, activity occurs on both the active and passive HA peers.

When set to default settings, certain services (such as External Dynamic Lists and URL updates) use service route settings that are inherited by a parent service (in this case, Palo Alto Networks Services) if it is explicitly configured with an interface. If the defaults are not used, Palo Alto Networks recommends configuring each of the services that you use with an interface to ensure that the proper service route is used.

Customize service routes.
1. Select DeviceSetupServicesGlobal (omit Global on a firewall without multiple virtual system capability), and in the Services Features section, click Service Route Configuration.
2. Select Customize and do one of the following to create a service route:
  - For a predefined service:
    - Select IPv4 or IPv6 and click the link for the service for which you want customize the service route.
      
      To easily use the same source address for multiple services, select the checkbox for the services, click Set Selected Routes, and proceed to the next step.
    - To limit the list for Source Address, select a Source Interface; then select a Source Address (from that interface) as the service route. An Address Object can also be referenced as a Source Address if it is already configured on the selected interface. Selecting Any Source Interface makes all IP addresses on all interfaces available in the Source Address list from which you select an address. Selecting Use default causes the firewall to use the management interface for the service route, unless the packet destination IP address matches the configured Destination IP address, in which case the source IP address is set to the Source Address configured for the Destination. Selecting MGT causes the firewall to use the MGT interface for the service route, regardless of any destination service route.
      
      The Service Route Source Address does not inherit configuration changes from the referenced interface and vice versa. Modification of an Interface IP Address to a different IP address or Address Object will not update a corresponding Service Route Source Address. This may lead to commit failure and require you to update the Service Route(s) to a valid Source Address value.
    - Click OK to save the setting.
    - Repeat this step if you want to specify both an IPv4 and IPv6 address for a service.
  - For a destination service route:
    - Select Destination and Add a Destination IP address. In this case, if a packet arrives with a destination IP address that matches this configured Destination address, then the source IP address of the packet will be set to the Source Address configured in the next step.
    - To limit the list for Source Address, select a Source Interface; then select a Source Address (from that interface) as the service route. Selecting Any Source Interface makes all IP addresses on all interfaces available in the Source Address list from which you select an address. Selecting MGT causes the firewall to use the MGT interface for the service route.
    - Click OK to save the setting.
3. Repeat the prior steps for each service route you want to customize.
4. Click OK to save the service route configuration.
Commit.

Service Routes Overview

Static Routes

Next-Generation Firewall Docs

Configure Service Routes

Next-Generation Firewall Docs

Configure Service Routes

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner