How to remove Explicit Proxy configuration from Panorama

How to remove Explicit Proxy configuration from Panorama

1648
Created On 01/05/24 15:36 PM - Last Modified 04/27/24 02:45 AM


Objective


To remove the configuration of Explicit Proxy from Panorama's Cloud Services Plugin, under "Panorama > Cloud Services > Configuration > Mobile Users - Explicit Proxy".
From the WebUI, we can see that the Template, Template Stack, and Device Group created for Explicit Proxy are greyed out, and therefore cannot be removed:
Explicit-Proxy-config-greyed-out.png
 

Environment


  • Panorama managed Prisma Access
  • PAN-OS 10.2 and above
  • Explicit Proxy setup

Procedure


  1. First from CLI, we can check the current configuration related to Explicit Proxy by running the below commands:
> set cli config-output-format set
> configure
# show | match "explicit\|Explicit"
set device-group Explicit_Proxy_Device_Group
set plugins cloud_services mobile-users-explicit-proxy onboarding
set template Explicit_Proxy_Template
set template-stack Explicit_Proxy_Template_Stack templates Explicit_Proxy_Template
set template-stack Explicit_Proxy_Template_Stack settings
set readonly template Explicit_Proxy_Template id 11010
set readonly template-stack Explicit_Proxy_Template_Stack id 11011
set readonly device-group Explicit_Proxy_Device_Group id 11012
set readonly plugins cloud_services mobile-users-explicit-proxy onboarding
  1. The "readonly" entries can be disregarded as they will automatically be deleted once these Objects are removed.
  2. Now delete the configurations from CLI one by one:
# delete template-stack Explicit_Proxy_Template_Stack settings
[edit]
# delete template-stack Explicit_Proxy_Template_Stack templates Explicit_Proxy_Template
[edit]
# delete template Explicit_Proxy_Template
[edit]
# delete device-group Explicit_Proxy_Device_Group
[edit]
# delete plugins cloud_services mobile-users-explicit-proxy
[edit]
# delete template-stack Explicit_Proxy_Template_Stack
[edit]
  1. Commit the configuration.
# commit
# exit

 

Additional Information


  • Note that we have two "delete" commands for the Template stack, because after running the first "delete", we would still have a remnant config for the Template Stack as seen below:
set template-stack Explicit_Proxy_Template_Stack templates 
set readonly  template-stack Explicit_Proxy_Template_Stack id 11011
  • Otherwise a Commit would fail with the below error message:
> show jobs id <ID>

Enqueued              Dequeued           ID                              Type                         Status Result Completed 
------------------------------------------------------------------------------------------------------------------------------
2024/01/05 11:12:18   11:12:18         <ID>                            Commit                            FIN   FAIL 11:13:53  
Warnings:

Details:Validation Error:
 devices -> localhost.localdomain -> template-stack -> Explicit_Proxy_Template_Stack  is missing 'settings'

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhQkCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail