Suresh Vina

Author Archives: Suresh Vina

Getting Started with the Pytest Plugin for Infrahub

We all write code, but how do we know the changes we make in the future won’t break something that used to work? That’s where testing becomes important.

The idea is to catch problems early, ideally before they reach production. In the Python world, one of the most common ways to do this is with a tool called pytest. It lets you write tests to check that your code behaves the way you expect and helps you catch issues before they become a bigger problem.

Originally published under - https://www.opsmill.com/pytest-plugin-infrahub/

When working with Infrahub, testing is just as important. You might want to make sure your GraphQL queries are valid, your Jinja2 templates render correctly, or your transformations behave as expected.

Infrahub simplifies this by offering a pytest plugin that doesn’t require Python code; you define tests using plain YAML. This makes testing more accessible to teams across roles and speeds up the feedback loop during development.

These kinds of unit tests aren’t just about convenience, they help establish a production-ready automation system. With automated checks built into your process, every change is validated consistently, reducing the chance of something breaking unexpectedly. That consistency builds trust when your Continue reading

UGreen NASync DXP2800 Review and First Impressions

TL;DR - For anyone who doesn’t want to go through the full post, here’s the short version. I bought the UGreen NASync DXP2800 (2 bay) from Amazon for £249 and paired it with two Seagate Ironwolf 8TB HDDs, around £180 each.

The unit comes with an Intel N100 CPU, 8GB of RAM (upgradeable to 16GB, but there’s only one RAM slot), and a 2.5Gb/s LAN port. It has a solid build, was easy to set up, and I actually like the UI. Sure, it lacks a lot of features compared to Synology or QNAP, but since I’m mainly using it for file storage, I’m happy with the purchase.

But Why UGreen NAS?

The short answer is, this is the best bang for the buck. For £249, I’m getting a 2-bay NAS with an N100 CPU, 8GB of RAM, a 2.5Gb/s LAN port, and two NVMe slots.

I’ve been wanting to buy a NAS for over Continue reading

Juniper vJunos-router in Containerlab

If you follow me or read my blog, you probably know I'm a big advocate of Containerlab. I've been using it for over two years now and I absolutely love it. Why? Because it's open source, it has an amazing community behind it (thank you again, Roman), and labs are defined using simple YAML files that are easy to share and reuse.

So far, I've used Cisco IOL, Arista EOS, and Palo Alto VM in Containerlab. And finally, the time came to try Juniper. I decided to test the Juniper vJunos-router, which is a virtualized MX router. It's a single-VM version of vMX that doesn't require any feature licenses and is meant for lab or testing purposes. You can even download the image directly from Juniper's website without needing an account. Thank you, Juniper and Cisco, please take note. In this post, I'll show you how to run Juniper vJunos-router in Containerlab.

Prerequisites

This post assumes you're somewhat familiar with Containerlab and already have it installed. If you're new, feel free to check out my introductory blog below. Containerlab also has great documentation on how to use vJunos-router, so be sure to check that out as well.

Containerlab - Creating Continue reading

My Experience at AutoCon3

This is my second time attending the AutoCon event. The first one I went to was last year in Amsterdam (AutoCon1), and it was absolutely amazing. I decided to attend again this year, and AutoCon3 took place from the 26th to the 30th of May. The first two days were dedicated to workshops, and the conference itself ran from the 28th to the 30th. I only attended the conference. I heard there were around 650 attendees at this event, which is great to see.

Network Automation Forum (NAF)

In case you’ve never heard of AutoCon, it’s a community-driven conference focused on network automation, organized by the Network Automation Forum (NAF). NAF brings together people from across the industry to share ideas, tools, and best practices around automation, orchestration, and observability in networking.

They typically hold two conferences each year, one in Europe and one in the USA, or at least that’s how it’s been so far. The European event is usually around the end of May, and the US one takes place around November. Tickets are released in tiers, with early bird pricing being cheaper. I grabbed the early bird ticket for 299 euros as soon as it was announced.

Continue reading

Configuring VLANs on UniFi Switches

I’ve worked with Cisco, Arista, and Juniper switches most of my life, but when I first started using UniFi switches in my homelab, I found myself a bit confused. The way VLANs are configured on UniFi switches is slightly different from what I was used to. In this post, I’ll go through how to configure VLANs on UniFi switches, specifically focusing on the USW-Pro-Max-16 and USW-Lite-8 models.

Quick Recap on VLANs

VLAN stands for Virtual LAN, and it's a way to logically segment a network, even if all devices are connected to the same physical switch. Different vendors use slightly different terms when it comes to VLAN port types. For example, Cisco calls them access and trunk ports, while others might refer to them as untagged and tagged ports.

An untagged (or access) port is typically used to connect end devices like PCs or printers. These devices have no awareness of VLANs, they just send regular Ethernet frames. When the switch receives a frame on an access port, it tags it with the VLAN configured for that port before forwarding it internally or out via a trunk port.

Tagged (or trunk) ports are used between switches or to other Continue reading

Creating, Modifying, and Deleting Data in Infrahub Using the Python SDK

The Infrahub Python SDK allows you to interact with Infrahub programmatically and can be used to query, create, modify, and delete data. In a previous blog post, we looked at how to query data using the Python SDK and explored various examples, including filters, relationships, and how to retrieve related data.

Originally published under - https://www.opsmill.com/infrahub-python-sdk-create-modify-delete/

In this post, we’ll focus on how to create, modify, delete and upsert data using the SDK. We’ll walk through practical examples that show how to add new resources, update existing ones, and delete data from Infrahub.

Throughout this post, we’ll be using the Infrahub sandbox, which is freely available. The sandbox already has some data in it, so if you’d like to follow along or try this yourself, you can use it without needing to set up anything.

Initial Setup

In the previous post, we covered the basics of using the Python SDK, including how to install it and set up the client object. If you’re new to the SDK, I recommend going back to that first article to start from the install.

To get started today, I’ve generated an API token on the Infrahub demo instance Continue reading

Querying Data in Infrahub via the Python SDK

Infrahub provides multiple ways to interact with your infrastructure data, including the Web GUI, GraphQL queries, and the Python SDK. These can be used to query, modify, create, or delete data in Infrahub. In this post, we’ll focus on using the Python SDK to query data from Infrahub.

This post assumes you are familiar with basic Python and Infrahub. If you’re new to these topics, don’t worry, you can still follow along.

Throughout this post, we’ll be using the Always-On Infrahub demo instance, which is available for anyone to access via this link. The demo instance already has some data in it, so if you’d like to follow along or try this yourself, you can use it without needing to set up anything.

Originally published under - https://www.opsmill.com/querying-data-in-infrahub-via-the-python-sdk/

Introduction

The Python SDK supports both synchronous and asynchronous Python. However, in this post, we’ll focus on using synchronous Python, which I hope most of us are comfortable with. We’ll cover async in a future blog post.

Interacting with Infrahub through the Python SDK is done using a client object, which defines the Infrahub instance you’ll be working with. This client acts as the connection point, allowing you to Continue reading

Tailscale VPN – A Network Engineer’s Perspective

Before we get into what Tailscale is or how it compares to a traditional remote access VPN, let’s take a quick look at Tailscale in action. The main problem Tailscale solves is remote access to your internal workloads.

In my homelab, I have a server running Linux. When I’m on my home network, I can access it directly without any issues. But if I step outside and want to access the same server over the Internet, Tailscale makes that much easier and you can have it up and running in about 10 minutes for free.

Typically, you would set up some kind of a VPN, either running on a server or a dedicated firewall. Then, you’d install a VPN client on the devices and point them to the public IP of your VPN server or firewall. That’s exactly what I have at the moment.

Tailscale takes a completely different approach, and you don’t need any of that. I’m not saying one is better than the other, I’m just pointing this out for comparison. I’ve shared my thoughts on the pros and cons of each solution at the end of this post.

Tailscale Installation and Setup

Head over to the Tailscale Continue reading

Docker Series – Networking and IP Addresses

It’s a bit embarrassing as a Network Engineer that we’ve made it this far into the Docker series without looking into Docker Networking and IP Addresses. So, in this part of the series, let’s take a quick look at the basics of Docker Networking. There’s a lot more to Docker networking than what we’ll cover here, but this should be enough to get most people started. We can always explore advanced topics in future posts.

If you haven’t been following the Docker series and just landed on this post, don’t worry; you can still follow along without any issues. If you’re curious about the previous posts, feel free to check them out below.

As always, if you find this post helpful, press the ‘clap’ button. It means a lot to me and helps me know you enjoy this type of content.

Docker Networking Basics

Container networking refers to the ability for containers to connect to and communicate with each other or Continue reading

Palo Alto Automated Scheduled Configuration Backup

I'm writing this in February 2025, and as far as I know, Palo Alto firewalls (not Panorama) don’t have a built-in mechanism for automatic configuration backups. Panorama, on the other hand, supports scheduled backups and allows you to send them to various locations like an SCP or FTP server. I’m not sure why this feature isn’t available on standalone firewalls, but in any case, let’s look at how you can use the API to periodically fetch the configuration from the Palo Alto firewall.

As always, if you find this post helpful, press the ‘clap’ button. It means a lot to me and helps me know you enjoy this type of content.

Overview

The Palo Alto KB article explains how to use the XML API with cURL to fetch the configuration and then use a cron job to run it periodically. This method works, but I want to make some tweaks to ensure we have Continue reading

Palo Alto Clientless VPN Configuration

As the title suggests, Palo Alto's clientless VPN allows users to access internal resources (HTTPS-based) without installing the GlobalProtect client. This is useful when you have an internal application that external contractors need to use, but they may not want to install a VPN client. All they need to do is open a browser, log in to your GlobalProtect portal, and access the applications directly. In this blog post, we'll go through the steps to configure Palo Alto Clientless VPN.

As always, if you find this post helpful, press the ‘clap’ button. It means a lot to me and helps me know you enjoy this type of content.

Overview

GlobalProtect Clientless VPN lets users securely access internal web applications from a browser without installing the GlobalProtect client. This is helpful for providing partners or contractors with access to specific internal applications. You can set up the GlobalProtect portal landing page to give users direct access to these applications.

0:00

/0:21

Clientless VPN acts as a reverse proxy, intercepting and modifying web pages from internal applications before presenting them to remote users. When users access these URLs, their requests pass through the GlobalProtect portal.

💡

Before proceeding, Continue reading

Python Getters, Setters and @property Decorator

When I first started working with Python classes, some of the most confusing topics were getters, setters, and @property. There are plenty of tutorials on how to use them, but very few actually explain why do we need them or what problem do they solve. So, I thought I’d write a dedicated post covering what they are and the problems they solve. Let’s get to it.

As always, if you find this post helpful, press the ‘clap’ button. It means a lot to me and helps me know you enjoy this type of content.

Python Classes

Before diving in, let's have a quick look at a Python class. Here’s a simple example of a Person class with two attributes name and age.

class Person:
    def __init__(self, name, age):
        self.name = name
        self.age = age

I'm going to create an instance of the class called p1, passing Continue reading

Combining URL Categories on Palo Alto

We know that in Palo Alto, or in any NGFW, we can allow or block various URL categories. Speaking specifically about the Palo Alto firewall, let's say you have a strict URL filtering policy and decide to block the 'Shareware and Freeware' category.

When you do this, you'll likely have frustrated users complaining that they can't access sites like GitHub, for example.

But, What Did I Do?

So, what did I do now to cause another network issue? Well, Palo Alto categorizes github.com as 'Shareware and Freeware', so the firewall simply blocks it. There’s a high chance that many other useful sites will get blocked too.

A quick fix is to create a Custom URL Category and add the GitHub URL to it. However, this isn’t a scalable solution.

For instance, if I start with *.github.com, the firewall may block github.com. Then, if I add github.com, the firewall might block URLs like www.github.githubassets.com. To address this, I’d need to use a different wildcard, but we can’t keep doing this for every affected site.

Combining URL Categories

Instead of managing each URL individually like before, we Continue reading

Automation Workflow with Infrahub, Nornir & Jinja2

Originally published in https://www.opsmill.com/simplifying-network-automation-workflows-with-infrahub-nornir-and-jinja2/

In this blog post, we will explore how InfraHub integrates with Jinja2 and Nornir to simplify network automation workflows. To demonstrate, we'll add two Arista devices to InfraHub, treating them as basic access switches. We'll then input the necessary details for these devices to generate configurations. We'll focus on creating VLAN and some interface configurations to keep it simple.

For each device, we'll assign a primary IP (used for SSH), configure a few interfaces with descriptions, and specify an untagged VLAN for each interface. Additionally, we'll define these VLANs globally in InfraHub (not tied to any specific device). A Jinja2 template will then use this information to generate configurations for each device. Finally, we'll use the nornir-infrahub plugin as the inventory source and Napalm to push the generated configurations to each device.

Prerequisites

This blog post assumes you are somewhat familiar with Git and Docker. If you’re new to InfraHub, don’t worry, you should still be able to follow Continue reading

Trying to Automate Palo Alto Firewall Objects/Rules Cleanup

In this blog post, we will walk you through how to clean up Palo Alto Firewall Objects and Rules using a simple Python script. The script is designed to search for a specific IP address or an entire subnet and remove any associated references.

The Problem

Have you ever found yourself in a situation where you've decommissioned a server or maybe even an entire subnet, and now you're faced with the task of cleaning up your firewall? If you're using Palo Alto, you probably know that you can't just remove an address object; you first need to eliminate all its references from address groups and rules.

This can become especially cumbersome if a single object is referenced in multiple places—you'll have to remove them one by one. Now, imagine having to do this for an entire subnet where multiple objects are involved. If this sounds familiar, read on to find out how to make this process easier using a simple Python Script.

If you are looking for a more sophisticated solution, feel free to check my other blog post on how to achieve this via the 'pan-os-php' library.

Palo Alto Object and Policy Cleanup with pan-os-php

If you work with Continue reading

Palo Alto SSL Decryption and App-ID

If you work with Palo Alto firewalls, you might have heard of App-ID. They work well and let us create security policies based on 'applications' rather than TCP/UDP port numbers. For example, instead of allowing UDP/53, we can allow the application 'DNS'. In this blog post, we will look at how App-ID works with and without SSL Decryption. Let's get to it.

If you are new to App-ID and want to know how it works, feel free to check out my introductory post below.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

App-ID Recap

When you have an NGFW like Palo Alto, you don't want to rely on port numbers for your security policies. Instead of allowing TCP/3389, TCP/389, or UDP/514, you want to use RDP, LDAP, or Syslog. Using specific port numbers, like TCP/3389, Continue reading

Paperless-ngx Self-Hosted Document Manager

At the moment, most of my documents are stored in Google Drive and locally on my machine. Whenever I need something, I go to Google Drive, search for it, and download it. While this works well, with all the concerns around privacy and data usage, I’d prefer to keep my documents locally rather than relying on cloud providers.

Recently, I came across a great self-hosted document manager called 'Paperless-NGX'. It not only helps with organising documents but also includes OCR functionality, allowing me to search within the documents themselves.

In this blog post, we'll go through how to set it up in a local environment and also cover how to put it behind the Caddy reverse proxy.

Paperless-NGX Installation with Docker

Paperless-NGX is a self-hosted document management system that helps organize and search documents easily. It comes with built-in OCR, allowing you to search within scanned documents and PDFs. One of the easiest ways to install Paperless-NGX is using Docker.

I went through the official documentation to Continue reading

Setting up Proxmox Backup Server

If you follow my blog, you may know that I recently migrated to Proxmox as my hypervisor, and I absolutely love it. My Proxmox server runs on a custom-built PC with an i9-10900K, 128GB RAM, and 3 x 1TB SSDs. I’m not using anything fancy, just a good number of VMs spread across two of the SSDs.

In this post, we’ll go through the process of setting up Proxmox Backup Server and backing up all the VMs from my Proxmox server to this backup server.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Why Proxmox Backup Server?

I’ve been running Proxmox for a few months without any backups. I did create some snapshots inside Proxmox in case I messed up a VM, so I could roll back if needed. Continue reading

Running Unifi Network Application in Docker

As of January 2024, the linuxserver/unifi-controller Docker image has been deprecated and is no longer receiving updates. This means it may no longer be secure or compatible with newer versions of UniFi devices. Users are now advised to switch to the linuxserver/unifi-network-application image, which is actively maintained and provides the latest version of the UniFi Network Application.

In this blog post, we will cover how to run the new image in Docker and how to migrate from the old image to the new one without losing your existing configuration.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Overview

In my homelab, I have a USW Lite 8 PoE, U6-Pro, and U6 Mesh. I had been running the older linuxserver/unifi-controller Docker image since I first set them up. My controller was on version 8.0.34, if I remember correctly.

Recently, I moved to a new host, so I decided it was the right time to migrate to the new linuxserver/unifi-network-application image. While checking their GitHub page, I found this note.

You Continue reading

Using the Continue VSCode Extension and Local LLMs for Improved Coding

Welcome back to another post on local LLMs. In this post, we’ll look at setting up a fully local coding assistant inside VSCode using the Continue extension and Ollama. Let’s get started.

As always, if you find this post helpful, press the ‘clap’ button on the left. It means a lot to me and helps me know you enjoy this type of content.

Overview

We’ve covered Ollama and Local LLMs in previous blog posts (linked below), but here’s a quick summary.

Ollama is a tool that lets you run large language models (LLMs) directly on your local machine. Local LLMs are language models that run on your computer instead of relying on cloud-based services like ChatGPT. This means you can use them without sending your data to external servers, which is great for privacy. They also work offline, so you’re not dependent on an Internet connection.

That said, it’s important to note that local models, especially on smaller setups, won’t match the speed or performance of cloud-based models like ChatGPT. These cloud models are powered by massive infrastructure, so they’re faster and often more accurate. However, the trade-off is privacy and offline access, which local LLMs provide.

In Continue reading

1 2 3 … 6 Next »