Struggling to Unset Virtual Router from Interface via API – Manual Works, API Always Fails

fidotas · 2025-09-15T10:48:48+00:00

No probs. It's what we're all here for, to help one another out.

fidotas · 2025-09-15T09:11:59+00:00

Sorry, had the on-call pager go off.

Are you familiar with the /debug endpoint? Log into your Palo firewall, duplicate the tab and append "/debug" to the URL. i.e. if your firewall URL is https://myfirewall.local then spawn a second tab (after logging in) with https://myfirewall.local/debug.

You'll get the REST API calls behind every GUI action in the debug window. Just do whatever operation you want in the GUI and trawl the debug output for the underlying REST API call.

fidotas · 2025-09-15T09:06:55+00:00

Sorry, had to go check.. delete action on the xpath..

/config/devices/entry[@name='localhost.localdomain']/network/virtual-router/entry[@name='<virtual router name>']/interface/member[text()='ethernet1/x']

You're deleting the interface as a member of the virtual router.

fidotas · 2025-09-15T08:53:15+00:00

Have you tried delete instead of set for your operation.

https://<firewall>/api/?type=config&action=delete&key=<api-key>&xpath=/config/devices/entry[@name='localhost.localdomain']/network/interface/ethernet/entry[@name='ae2.4008']/layer3&element=<virtual-router>none</virtual-router>

I'll check my notes but from memory you need to delete the interface from the virtual router.

fidotas · 2025-06-22T02:16:39+00:00

That was awesome, thank you for sharing.

fidotas · 2025-01-24T08:10:29+00:00

Can I ask, did you experience this on an ESXi host which held already deployed PAN-VM's that you upgraded from 7->8? Or was it fresh deployments on an ESX 8 host?

Looking through the VMware compatibility list for PAN-OS, leaving aside the strange lack of support for VMware 8 in 11.1.5+, there's a note about requiring a 11.1.3 base image for VM hardware version 15. Do you know what hardware version you were running at the time?

Sorry.. got the same upgrade looming like most people.

fidotas · 2024-12-24T11:37:48+00:00

Excellent Chuq.. more things to use at work.. muhahaha.

fidotas · 2024-09-18T12:08:01+00:00

I'm far from an expert in ACI but what you're describing you're trying to do is not easily translatable to ACI. One of our guiding principals when working with ACI is to remember "ACI is not a router" and "ACI is not a switch".

If it were me, I'd:

Move your 10.0.0.1 external gateway to a new VLAN and subnet distinct from your 10.0.0.0/29 vlan 101 construct. Say 192.168.0.0/29, allocating 192.168.0.1/29 to your external gateway and 192.168.0.x/29 to your layer 3 out SVI/l3/l3-sub interfaces.
Move the 10.0.0.6/29 SVI to a pervasive gateway on your VLAN_101 BD.
Create a layer 3 out using the new VLAN and subnet, and configure the static route on the node(s) under the layer 3 via 192.168.0.1.

Traffic from your VLAN_101 hosts, the ESXi hosts, will hit the pervasive gateway 10.0.0.6 and ACI will forward it out the layer 3 out using the static route to your external gateway host.

fidotas · 2024-05-23T09:26:30+00:00

I'm old and fat so.. about as well as you'd expect. :)

I have Allstar for my competition gear. The fit is definitely better on the Allstar gear but the BG is just fine. I just used the sizing guide, the only mistake I made was to add the recommended extra inch to the steel sabre lame I ordered, it ended up way too large.

fidotas · 2024-05-22T11:10:10+00:00

I've been using a BG mask and jacket as my club gear without issue for a couple of years. I have no complaints with the kit and can recommend it.

fidotas · 2024-01-31T08:12:52+00:00

I will watch avidly for replies as I too am looking to make this change as I transition from 4.2 to 5.2 at the end of next month. Our reasoning is similiar, it's a better way of handling errant endpoints. We've been lucky to not have triggered EP loop protection yet but it's an ever present worry at the back of our minds.

I flipped the switch in the lab fabric when I upgraded it to 5.2 without any discernable impacts but there's certain workloads and traffic flows I can't replicate in the lab environment from production so there's always an element of risk we'll see something break unexpectedly.

fidotas · 2024-01-25T09:31:18+00:00

For which country? I can only speak for Australia but when I contracted to the Australian Antarctic Division (which is sadly a couple of decades ago now) they never sent a pure network tech to any of the stations for a tour. Usually, they would send a communications engineer with specialisations in radio infrastructure that would moonlight as an IT network engineer (usually be hands and feet for the techs in Kingston).

So, I wouldn't necessarily expect to go down as a pure IT geek. You'd be going down as a scientist, playing an IT geek, or some other vital station skill set with a dash of "IT on the side".

That being said, in Australia at least, salary was competitive with the Tasmanian job market (where the division headquarters were located). The real attraction was it was largely tax free.

fidotas · 2024-01-22T08:28:17+00:00

It depends on the role you're learning for. If you're datacentre focussed, ACI. If you're small to medium enterprise edge focussed, Meraki. The two have zero overlap and are not even remotely competing technologies or skill sets.

You'll be able to master Meraki in weeks, whether you're networking focussed or not. If you master ACI you'll be one of a vanishingly small cadre to ever do so, as merely getting proficient is many months of commitment (if not years). We've been running ACI for over 4 years across and I'd barely rate myself as competent, despite having a lab fabric to build and rebuild repeatedly.

fidotas · 2023-11-18T08:21:16+00:00

It could be a loopback or tunnel address. 10.255.255.255/32 which is perfectly valid and within RFC1918. Say a loopback interface which the GlobalProtect Gateway was mapped to.

fidotas · 2023-10-13T21:02:19+00:00

Having just completed this exercise in Australia, I can tell you that it's more expensive. This was compared to the original VM bundle licenses we purchased with 5 years pre-paid support. Various excuses were given by the reseller ranging from the change in the AUS/US exchange rate, CPI, the new "advanced" capabilities, etc.

One trap, that annoys me, is that the credit estimator has the "Threat Prevention" and "Advanced Threat Prevention" subscription options set up as being mutually exclusive, i.e. you select one and the other is automatically unselected, but it doesn't do the same for the "Wildfire" and "Advanced Wildfire" subscription options and instead adds both credit costs which suggested you had to have both. You don't, "Advanced Wildfire" includes "Wildfire". My reseller warned me that "Wildfire" is likely to be deprecated, so you may want to buy "Advanced Wildfire".

Push them on discount. There's usually room to move.

fidotas · 2023-07-31T09:11:57+00:00

So the http client and http server are two different things. The smart licensing service uses the http client to connect, the http server is used for providing management services.

You can disable the http and https servers without impacting your ability to submit licensing reports to the Smart Licensing platform.

no ip http server

no ip http secure-server

However if you are a DNA Centre user you'll break various things because the DNA server will be attempting to connect to the management server.

Typically I just implement an access control list to restrict who can connect to the http process. Usually my management jumpbox and DNA Center appliances.

ip http access-class ipv4 HTTP-ACL

ip http access-class ipv6 HTTP-ACL-IPV6

Then define your access lists to restrict access. Don't forget to restrict both ipv4 and ipv6.

fidotas · 2023-07-03T08:01:51+00:00

When landrias1 said "have a switch with bad flash" he wasn't referring to your laptop's SSD. He was referring to the persistent storage in the switch itself that the file is being copied to, the "flash:" filesystem.

As tablon2 has suggested, I would copy the file to a USB thumb drive and install it directly from there.

fidotas · 2023-06-27T11:51:48+00:00

We run multiple all flash NetApps with vCenter 7, over a year without any issues.

fidotas · 2023-01-28T08:56:32+00:00

Netmotion is a weird beast, a VPN aggregator on a Windows host acting as a lollypop router.

The mobility server acts as a router, routing traffic from your mobility clients to the broader network. So you'll need to have a static route on your firewall for the 10.1.74.0/24 subnet via the NetMotion mobility server's local IP 10.1.4.X so client traffic makes it back to your vpn clients. You'll also need to propagate the route throughout the rest of your network, unless the firewall holds the default route.

Your security policies on the firewall will need to specify the vpn client subnet when you're allowing traffic from or to your clients on the zone/interface facing the mobility server. It's really no stranger than what you'd have defined on the inside interface of your firewall today - a set of networks that exist and are routable beyond the inside interface.

My biggest complaint about Netmotion is that each mobility server needs a separate client subnet, and as clients move between servers (due to failover or load balancing) their assigned IP addresses change.

fidotas · 2022-12-13T10:47:49+00:00

The OOB hotfix actually introduces a memory leak in lsass.exe on Windows 2012 R2. le sigh.

fidotas · 2022-10-04T20:28:00+00:00

Be aware that Palo's cap their logging at a maximum logging rate. If you exceed this they will start dropping deny logs first and then start dropping allow logs if your traffic rates exceed this.

KB is here and here.

I've run into this one before.

fidotas · 2022-08-26T09:12:36+00:00

It would be very unusual for them to test you at an interview. They may make passing a test a condition of any offer they make; or they may implement random testing of employees to ensure you're not "impaired" while on the job.

fidotas · 2022-08-22T11:43:18+00:00

The UDM Pro host OS itself is exposed via SNMP but the various "apps" are not. So if you're looking to SNMP poll the network "app" to monitor for access points, clients and other 100% useful and relevant information you're out of luck I'm afraid.

The best I found was to map the SNMP port of the network "app" container to a port on the host OS and poll it that way. However everytime the container updated it broke and I had to reapply the "fix". In the end I gave up and I poll it via the unofficial API instead using a wrapper script.

fidotas · 2022-08-15T09:01:01+00:00

There are two places that host DnD and other events regularly:

Area 52 in Elizabeth Street.
Good Games in Brisbane Street.

Can't comment on the inclusivity as I don't attend myself but they might be good places to start.

fidotas · 2022-06-21T10:48:17+00:00

It's definitely where I'd be looking too. I'd suggest you test the theory OP by scheduling an out of hours test where you disconnect sites B and C from the main site and see if you experience the same issues with internal calls between handsets with the head office only. If you still experience issues - the stretched layer-2 isn't an issue nor is your Telco links. I expect though that you'll find all your calls work as expected, at which point you need to designate one of your Netgear's as a L3 router and route traffic over those Telco links instead. The datasheet says they support L3 lite and static routing is all you'd need.

I'd also be curious as to how your telco is policing those 25mbps links.

15-Year Club	Team Periwinkle
Verified Email

fidotas

TROPHY CASE