Running "debug object registered-ip test unregister ip X.X.X.X" command unregister the IP TAG from the Panorama/Firewall which is acting as redistribution agent but doesn't unregister it from the redistributed devices

After unregistering the IP TAG from the Panorama/Firewall running command debug object registered-ip test unregister ip X.X.X.X, it still shows the IP TAG in redistributed device.

• Palo Alto Firewalls or Panorama
• Supported PAN-OS
• IP TAG redistribution

debug object registered-ip test unregister ip X.X.X.X  command will only delete the IP TAG in a local device which is acting as a redistribution agent, not in the redistributed devices

1. debug object registered-ip test unregister ip X.X.X.X  command doesn't work in the case of IP TAG redistribution.
2. To unregister the IP TAG in the case of IP TAG redistribution, use Panorama API Browser and run XML API script
   • Launch the API Browser
     • https://<Panorama>/api 
   • Once the XML API window opens, click User ID

• • Under XML  use the <uid-message><type>update</type><payload><unregister><entry ip="X.X.X.X"><tag><member>Tag Name</member></tag></entry></unregister></payload></uid-message>  script to unregister the IP TAG

• • This will unregister the IP TAG from the Panorama and also from all redistributed firewalls at the same time
  • The same steps can be implemented in the firewall if the Firewall is acting as a redistribution agent

This document only shows the running XML API unregister script using the API browser but same unregister XML API script can be pushed using other API tools.