04-22-2025 08:19 AM
Hello,
I've already looked at similar topics here, but it did not help me.
I'm supposed to set up a DHCP server on ethernet1/2 and to do it, I need to set up ethernet1/2 as a layer3 interface on the CLI first.
Initially, I tried these commands:
Set network interface ethernet ethernet1/2 layer3 ip 10.xxx.yyy.zzz
set network virtual-router VR1 interface ethernet1/2
admin@fw# set zone trust network layer3 ethernet1/2
admin@fw# commit
But I've got a this error:
Commit job 6 is in progress. Use Ctrl+C to return to command prompt
...
Validation Error:
network -> virtual-wire -> default-vwire -> interface2 'ethernet1/2' is not a valid reference
network -> virtual-wire -> default-vwire -> interface2 is invalid
Then, I tried deleting ethernet1/2 from the config:
admin@fw# delete zone trust network layer3
ethernet1/1 ethernet ethernet1/1
ethernet1/2 ethernet ethernet1/2
loopback loopback loopback
sdwan sdwan sdwan
tunnel tunnel tunnel
vlan vlan vlan
<value> member value
<Enter> Finish input
admin@fw# delete zone trust network layer3 ethernet1/2
Object doesn't exist
and
admin@fw1# delete zone trust network virtual-wire
ethernet1/1 ethernet1/1
<value> member value
<Enter> Finish input
admin@fw# delete zone trust network virtual-wire ethernet1/1
<Enter> Finish input
admin@fw# delete zone trust network virtual-wire ethernet1/1
No object to delete in delete handler
How is it possible ethernet1/2 does not exist if it's a valid parameter after layer3?
How is it possible ethernet1/1 cannot be deleted as a virtual wire parameter if it's shown as a valid parameter?
Kind regards
Chris
04-22-2025 08:33 AM
Hi @Kfialkowski,
Can you post the running-config.xml sections relevant to your question? Have you tried deleting the virtual-wire first? I believe you may need to remove the virtual-wire object associated with the interface. Try the 'delete network virtual-wire name_here' command.
Cheers
04-22-2025 10:53 AM - edited 04-22-2025 10:54 AM
Can you share a screenshot from the GUI of what eth 1/2 look like? Also can show the GUI of your vwire? PAN-OS is weird, in some instances it'll let you delete something that can create a weird situation that an object may be gone, but the thing referencing the object still thinks it's there. It's possible you might have unintentionally removed/deleted an object from use somewhere else & now that somewhere else is holding onto that object. If this is the case you're better off reverting your config and starting over.
04-23-2025 03:20 AM - edited 04-23-2025 03:21 AM
Hi, I cannot access the GUI, as the firewall's management IP is on a different network from my laptop's. Ideally, if both were on the same network, I'd connect a cable to the firewall's management interface and the other end of the cable to my laptop. However, I was forbidden to change the IP on my laptop to match the network where the firewall's IP is assigned. That's why I'm trying to set up a DHCP server on the firewall. After I'm able to access the GUI, things will be easier.
I'll post full config later.
04-24-2025 07:02 AM
The code appears to be too long to paste it as one message.
admin@fw> show config running
config {
mgt-config {
users {
admin {
phash $5$woduoyxs$DfWODoz/iqbcsS1nvTAI7U/JnyBlK8b7gE2csl7lfN5;
permissions {
role-based {
superuser yes;
}
}
}
}
password-complexity {
enabled yes;
minimum-length 8;
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/1 {
virtual-wire;
}
ethernet1/2 {
virtual-wire;
}
}
loopback {
units;
}
vlan {
units;
}
tunnel {
units;
}
}
vlan;
virtual-wire {
default-vwire {
interface1 ethernet1/1;
interface2 ethernet1/2;
}
}
04-24-2025 07:04 AM - edited 04-24-2025 07:08 AM
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ aes-128-cbc 3des];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ aes-128-cbc 3des];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class-bandwidth-type {
mbps {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
}
}
}
}
}
deviceconfig {
system {
ip-address xxx.yyy.21.130;
netmask 255.255.255.224;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone US/Pacific;
service {
disable-telnet yes;
disable-http yes;
}
hostname PA3250;
type {
static;
}
default-gateway xxx.yyy.21.129;
dns-setting {
servers {
primary xxx.zzz.36.10;
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
}
vsys {
vsys1 {
application;
application-group;
zone {
trust {
network {
virtual-wire ethernet1/2;
}
}
untrust {
network {
virtual-wire ethernet1/1;
}
}
}
service;
service-group;
schedule;
rulebase {
security {
rules {
rule1 e98c697c-5faa-49ee-a901-5c5748d55e7d {
from trust;
to untrust;
source any;
destination any;
service any;
application any;
action allow;
log-end yes;
}
}
}
}
}
}
}
}
}
04-24-2025 08:18 AM
Hello @Kfialkowski ,
I suspect this is the cause:
virtual-wire {
default-vwire {
interface1 ethernet1/1;
interface2 ethernet1/2;
}
As previously mentioned, remove the virtual-wire object associated with the two interfaces. Try the 'delete network virtual-wire name_here' command.
Let me know if this helps!
Cheers
04-25-2025 05:13 AM
Hi,
Thank you everybody for your assistance.
I'll be in that place on Monday.
If I delete that interface, what command should I use to create a new layer3 interface and assign a DHCP pool range to it? Should I use ethernet1/2 to set up a DHCP server after deleting it as a virtual wire?
The VLAN is xxx.yyy.21.128/27, so the usable network range is xxx.yyy.21.129 - xxx.yyy.21.158. However, the gateway is xxx.yyy.21.129, the primary PA FW management IP is xxx.yyy.21.130 and the secondary PA FW management IP is xxx.yyy.21.131, so the DHCP server range should be xxx.yyy.21.132 - xxx.yyy.21.158.
Please take a look at the diagram above.
A network engineer assigned a switchport for the primary PA FW to the first port (on the left, 1), the second port (the middle one, 2) has been assigned to the secondary PA FW and the third port (the right one, 3) has been assigned to my laptop.
That was his idea of bypassing the problem of the firewalls and the laptop being in a different network.
Kind regards
Chris
04-29-2025 09:07 AM
Hi,
The system says the interface does not exist:
admin@fw# delete network virtual-wire
default-vwire default-vwire
<name> <name>
admin@fw# delete network virtual-wire
default-vwire default-vwire
<name> <name>
admin@fw# delete network virtual-wire ethernet1/2
Object doesn't exist
[edit]
admin@fw# delete network virtual-wire
default-vwire default-vwire
<name> <name>
admin@fw# delete network virtual-wire interface2
Object doesn't exist
[edit]
admin@fw# delete network virtual-wire ethernet1/2
Object doesn't exist
[edit]
admin@fw1# delete network virtual-wire ethernet1/1
Object doesn't exist
[edit]
admin@fw# delete network virtual-wire interface1
Object doesn't exist
Deleting the default virtual wire does not work either:
admin@fw# delete network virtual-wire default-vwire
[edit]
admin@fw# commit
Commit job 9 is in progress. Use Ctrl+C to return to command prompt
...
Validation Error:
zone -> untrust -> network -> virtual-wire 'ethernet1/1' is not a valid reference
zone -> untrust -> network -> virtual-wire is invalid
[edit]
admin@fw#
04-29-2025 10:25 AM - edited 04-29-2025 10:31 AM
Hi @Kfialkowski ,
If this is the default virtual-wire configuration, the following commands will delete it.
delete zone trust network virtual-wire ethernet1/2
delete zone untrust network virtual-wire ethernet1/1
delete zone trust network virtual-wire
delete zone untrust network virtual-wire
delete rulebase security rules rule1
delete zone trust
delete zone untrust
delete network interface ethernet ethernet1/1 virtual-wire
delete network interface ethernet ethernet1/2 virtual-wire
delete network virtual-wire default-vwire interface2
delete network virtual-wire default-vwire
If you are reusing the "trust" and "untrust" zones, do not delete them. If your configuration is not default, then run the following commands to view them.
> set cli config-output-format set
> configure
# show | match virtual-wire
If there are any commands left, replace the "set" with "delete" and paste into the CLI.
Thanks,
Tom
05-16-2025 04:44 AM - edited 05-16-2025 04:46 AM
Hi, the device was faulty and these commands run on the other firewall.
The DHCP server is now set up, but my laptop cannot get an IP address when I connect it to the port on the wall using an ethernet cable.
My config is:
config {
mgt-config {
users {
admin {
phash $5$jwnqxrjg$0/5mLnf5go/.WQgyFQMon0oZGUn165QPnKd949dSlh6;
permissions {
role-based {
superuser yes;
}
}
}
}
password-complexity {
enabled yes;
minimum-length 8;
}
}
shared {
application;
application-group;
service;
service-group;
botnet {
configuration {
http {
dynamic-dns {
enabled yes;
threshold 5;
}
malware-sites {
enabled yes;
threshold 5;
}
recent-domains {
enabled yes;
threshold 5;
}
ip-domains {
enabled yes;
threshold 10;
}
executables-from-unknown-sites {
enabled yes;
threshold 5;
}
}
other-applications {
irc yes;
}
unknown-applications {
unknown-tcp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
unknown-udp {
destinations-per-hour 10;
sessions-per-hour 10;
session-length {
maximum-bytes 100;
minimum-bytes 50;
}
}
}
}
report {
topn 100;
scheduled yes;
}
}
}
devices {
localhost.localdomain {
network {
interface {
ethernet {
ethernet1/1;
ethernet1/2 {
layer3 {
ip {
xxx.yyy.21.132/27;
}
}
}
}
loopback {
units;
}
vlan {
units;
}
tunnel {
units;
}
}
vlan;
virtual-wire;
profiles {
monitor-profile {
default {
interval 3;
threshold 5;
action wait-recover;
}
}
}
ike {
crypto-profiles {
ike-crypto-profiles {
default {
encryption [ aes-128-cbc 3des];
hash sha1;
dh-group group2;
lifetime {
hours 8;
}
}
Suite-B-GCM-128 {
encryption aes-128-cbc;
hash sha256;
dh-group group19;
lifetime {
hours 8;
}
}
Suite-B-GCM-256 {
encryption aes-256-cbc;
hash sha384;
dh-group group20;
lifetime {
hours 8;
}
}
}
ipsec-crypto-profiles {
default {
esp {
encryption [ aes-128-cbc 3des];
authentication sha1;
}
dh-group group2;
lifetime {
hours 1;
}
}
Suite-B-GCM-128 {
esp {
encryption aes-128-gcm;
authentication none;
}
dh-group group19;
lifetime {
hours 1;
}
}
Suite-B-GCM-256 {
esp {
encryption aes-256-gcm;
authentication none;
}
dh-group group20;
lifetime {
hours 1;
}
}
}
global-protect-app-crypto-profiles {
default {
encryption aes-128-cbc;
authentication sha1;
}
}
}
}
qos {
profile {
default {
class-bandwidth-type {
mbps {
class {
class1 {
priority real-time;
}
class2 {
priority high;
}
class3 {
priority high;
}
class4 {
priority medium;
}
class5 {
priority medium;
}
class6 {
priority low;
}
class7 {
priority low;
}
class8 {
priority low;
}
}
}
}
}
}
}
virtual-router {
default {
protocol {
bgp {
enable no;
dampening-profile {
default {
cutoff 1.25;
reuse 0.5;
max-hold-time 900;
decay-half-life-reachable 300;
decay-half-life-unreachable 900;
enable yes;
}
}
}
}
interface ethernet1/2;
}
}
dhcp {
interface {
ethernet1/2 {
server {
ip-pool xxx.yyy.21.132-xxx.yyy.21.158;
}
}
}
}
}
deviceconfig {
system {
ip-address xxx.yyy.21.130;
netmask 255.255.255.224;
update-server updates.paloaltonetworks.com;
update-schedule {
threats {
recurring {
weekly {
day-of-week wednesday;
at 01:02;
action download-only;
}
}
}
}
timezone US/Pacific;
service {
disable-telnet yes;
disable-http yes;
}
hostname MGUKANSPA3502;
type {
static;
}
default-gateway xxx.yyy.21.129;
dns-setting {
servers {
primary xxx.zzz.36.10;
}
}
}
setting {
config {
rematch yes;
}
management {
hostname-type-in-syslog FQDN;
}
}
}
vsys {
vsys1
application;
application-group;
zone {
trust {
network {
layer3 ethernet1/2;
}
}
}
service;
service-group;
schedule;
rulebase {
security {
rules;
}
}
}
}
}
}
}
05-16-2025 07:57 AM
@Kfialkowski --
How are you expecting your client to get a DHCP address from the firewall?
From your config I only see Layer 3 components, but what you're asking is for the firewall to participate in Layer 2 functionality. You're going to need to create a L2 VLAN that hosts will be on to get the DHCP address. Then the network your PC is on will be to be apart of the same L2 domain that the firewall is trying to provide an IP address for:
05-16-2025 08:25 AM
You previously mentioned you don't have GUI access and only have CLI access to this firewall. There are a lot of components and configuration items that need to be deployed for this to work. You'd be better off having a lab with GUI access, recreating all of these components in the lab (GUI) validating that it works then taking that config and applying to your production via the CLI.
05-16-2025 11:42 AM
Hi @Kfialkowski ,
It looks like your virtual-wire interfaces have been deleted. I would recommend starting a new thread for the new issue. If there was one answer that did the trick, please mark it as the solution so that others with the same problem can easily find it.
Thanks!
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
