Verifying Service Routes in Palo Alto Networks Firewalls

1. Introduction

Service routes in Palo Alto Networks firewalls determine the source interface and IP address used for services such as DNS, NTP, syslog, and others. Verifying these configurations ensures that the firewall communicates correctly with external services.

2. Viewing Service Routes via CLI

To verify service routes using the CLI:

debug dataplane internal vif route 250

This command displays the service routes configured on the firewall and verifies if they are correctly installed and active in the Management Plane. The number 250 specifically refers to service routes in the Management Plane. [Source]

3. Viewing Service Routes via Web Interface

To verify service routes using the web interface:

1. Navigate to Device > Setup > Services .
2. Click on Service Route Configuration .
3. Select Customize to view and verify the configured service routes.

This section displays the source interface and IP address used for each service, allowing you to confirm the configurations.

4. Testing Service Route Connectivity

To test connectivity for a specific service route:

ping source <source-ip> host <destination-ip>

Replace <source-ip> with the IP address configured in the service route and <destination-ip> with the external service's IP address. This command verifies that the specified source interface can reach the destination.

5. Monitoring Service Route Traffic

To monitor traffic generated by service routes:

1. Navigate to Monitor > Traffic in the web interface.
2. Apply filters to view traffic from the source IP addresses configured in your service routes.

This allows you to confirm that traffic is flowing as expected through the specified interfaces.

6. Additional Resources

• How To Verify If Service Routes Are Correctly Installed in Management Plane
• Configure Service Routes - Palo Alto Networks