topic Client want to reset vpn tunnel though API tools in Automation/API Discussions

Client want to reset vpn tunnel though API tools

NavidAlam — Wed, 28 Oct 2020 17:34:53 GMT

Hi Guys,

We have site to site vpn tunnel to client . Now client have tools that can call api from our side that can see vpn tunnel is down or not and reset it. But how we can give access to api to only specifi vpn tunnel to reset like ( clear & test )

/api/?type=op&cmd=<test><vpn><ike-sa><gateway></gateway></ike-sa></vpn></test>

/api/?type=op&cmd=<test><vpn><ipsec-sa><tunnel></tunnel></ipsec-sa></vpn></test>

Can anyone help where i can add the name and key it like the vpn tunnel name is ( ABC-VPN)

What will be full command before we forward them.

We can reset by command line.

test vpn ike-sa gateway ABC-VPN

test vpn ipsec-sa tunnel ABC-VPN

Re: Client want to reset vpn tunnel though API tools

hbalzac — Thu, 29 Oct 2020 10:01:34 GMT

So do you want to limit so this api users to only be able to run just a few commands? In this case reseting the vpn?

Re: Client want to reset vpn tunnel though API tools

NavidAlam — Thu, 29 Oct 2020 10:21:41 GMT

Yes. I want to limit the client by just only able to reset only his own VPN sit to sit tunnel.

Re: Client want to reset vpn tunnel though API tools

hbalzac — Thu, 29 Oct 2020 11:22:41 GMT

The rbac functionality for api users are quite limited, so its not possible. I have heard that 10.0 will be better but not to what extent.

Other vendors have had the possibility to just allow certain commands for users but palo lacks here imo.

Not sure on how you enviorment is setup, there is always the issue with the client modify the script and run other commands that you dont want. Perhaps just having a simple webportal where they can click one button?