Month: June 2025

Posted on

Upgrade From PA-220 To PA-440

Step 1) Get a PA-440 from your reseller.

Step 2) Power On PA-440

Step 3) Connect Micro USB cable into console, and then USB-A into Workstation of choice, with OS of choice. I will be using a HP Laptop with Windows 11.

  • Baud Rate: 9600
  • Data Bits: 8
  • Parity: None
  • Stop Bits: 1
  • Flow Control: None

Login as admin:admin and change the password.

Step 4) Disable ZTP. Unless you are working with a consultant or advanced VAR you probably won’t be using ZTP (Zero Touch Provisioning), this will prevent us from configuring a static IP address on the MGMT port.

> set system ztp disable

Now wait for the firewall to reboot.

Step 5) Configure a static IP for the PA-440 MGMT port:

> configure
> set deviceconfig system type static ip-address <IP_ADDRESS> netmask <NETMASK> default-gateway <DEFAULT_GATEWAY>
> commit

At this point you can plug a network cable into the MGMT port and into the switch in your network stack that will allow it to communicate to the internet and whatever devices are on the same subnet.

Step 5) Adjust any existing firewall rules to allow the MGMT port to access internet. primarily “paloalto-updates” app type if you are already using a PA series firewall, and want to be really strict on the rules.

Step 6) Register the device with your account on the Palo Alto Support portal. This is required when using the “grab licensees from online servers” option in the firewall. If you are using the device in an offline fashion then you will need to use the activation codes, which is outside the scope of this blog.

Step 7) Activate the PA-440 by checking online for licenses.

Congrats we got the first basic deployment steps configured for the PA-440. We can now manage it via the Web interface on the MGMT port. Now we’ll export the config from the PA-220, and import it into the PA-440.

Step 8) Export existing config from PA-220.

Device -> Setup -> Operational -> Save named snapshot -> name it

Device -> Setup -> Operational -> Export named snapshot -> the one named above

Step 9) On the PA-440 Import the config.

Device -> Setup -> Operational -> Import named snapshot -> the one named above

Device -> Setup -> Operational -> Load named snapshot -> name it

In my case I had a URL security definition that was causing a validation fault. So I had to check for new apps n threats packages and applied the latest one.

This most likely happened cause my export config had a later apps n threats definition then what the new firewall had available.

After this the commit validated without issue.

Step 10) Use Auth codes to activate all features.

Step 11) Commit

Step 12) Power off PA-220, and replace with the PA-440. Plugging network cables 1 for 1 in place, since they both have 8 ports it’s just direct in place drop.

Now that I got a PA-440 with all the bells n whistles, stay tuned for more Palo Alto Networks tutorials. I’ll review what I’ve covered in the past on my website and attempt to avoid duplicates, if I do find those I’ll update those post, otherwise I’ll create a new one for new deployments.

Hope this helps someone.

Posted on

VMware Changes Update URLs

If you run a home lab, or manage systems for companies you may have noticed updates not working in VAMI… something like…. Ohhh I dunno.. this:

Check the URL and try again.

Unable to patch the vCenter via VAMI as it fails to download the updates from Broadcom public repositories

Cause

Public facing repository URLs and authentication mechanisms are changing. Download URLs are no longer common but unique for each customer therefore will require to be re-configured.

Well… wow thank you Broadcom for being so… amazing.

If you want to be overly confused about the whole thing you can this this KB: Authenticated Download Configuration Update Script

As the original link I shared above all you have to do is login to the Broadcom support portal, and get a token, and edit the URL…. but….

Notes:

    • The custom URL is not preserved post migration upgrade, FBBR restore and VCHA failover
    • If there is a proxy device configured between vCenter and the internet, ensure it is configured to allow communications to the new URL
    • Further patches automatically update this URL. For example, if 8.0.3.00400 is patched to 8.0.3.00500, the default URL will change to end in 8.0.3.00500.

Looks like this was enforced just a couple days ago … Sooooo, happy patching?   ¯\_(ツ)_/¯

Posted on

Permission to perform this operation was denied. NoPermission.message.format

For anyone who may use my site as a source of informational references, I do apologies, for the following:

  1. My Site Cert expiring. ACME is great, I’m just a bit upset they refuse to announce their HTTP auth sources so I can’t create a security rule for it. Right now it would be restricted to App Type. While not bad.. not good enough, so I manually have to allow the traffic for the cert to be renewed.

    No… I have no interest in allowing ACME access to my DNS for DNS auth.

  2. Site was down for 24 hours. If anyone noticed at all, yes my site was down for over 24 hours. This was due to a power outage that lasted over 12 hours after a storm hit. No UPS could have saved me from this. Though one is in the works even after project “STFU” has completed.

    No, I have no interest in clouding my site.

I have a couple blog post ideas roaming around, I’m just having a hard time finding the motivation.

Anyway, if you get “Permission to perform this operation was denied. NoPermission.message.format” while attempting to move a ESXi host into a vCenter cluster. Chances are you may have a orphaned vCLS VM.

If so, log into VAMI and restart the ESX Agent Manager (EAM) service.

After restarting that service everything should hunky dory…

Cheers.

Legal Information Proudly powered by WordPress