topic Re: API command to enable/disable IPSec tunnel in Automation/API Discussions

API command to enable/disable IPSec tunnel

crostron76 — Thu, 17 Mar 2022 01:34:58 GMT

Hi all,

I am trying to enable/disable an IPSec via the API but cannot produce a command that works.

I am currently trying this command to disable the tunnel

curl -X GET "<firewall-fqdn>//api/?&type=config&action=set&xpath=/config/devices/entry[@name="<firewall-fqdn>"]/network/tunnel/ipsec/entry[@name="IPSec-Tunnel-Name"]/disabled&element=<disabled>yes</disabled>&key=<key>" --ssl-no-revoke

It returns the error:

<response status="error" code="13"><msg><line>set failed, may need to override template object first</line></msg></response>

Can someone please let me know where I am going wrong?

Thanks,

Chris.

Re: API command to enable/disable IPSec tunnel

JimmyHolland — Thu, 17 Mar 2022 10:27:04 GMT

Hi @crostron76, here is an API call that successfully disables an IPsec VPN in configuration (needing a commit to make the change happen):

https://{{host}}/api/?key={{key}}&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='{{tunnelname}}']&element=<disabled>yes</disabled>

I think there are a couple of things with the original command.
- [@name="<firewall-fqdn>"] needs to be [@name='localhost.localdomain']

- The /disabled is not needed at the end of the xpath, as we are setting the disabled element in the element= section of the API call

- The error "may need to override template object first" implies that the IPsec config was sent from Panorama via a template, not created on the NGFW locally. Ideally, you would therefore make the change to disable the IPsec VPN from Panorama, not locally on the firewall, in order to keep Panorama and NGFW in-sync. Per the documentation, you can change action=set in the API call to be action=override in order to locally override the template configuration, but consider if this is the solution you want to proceed with.

Hope that helps!

Re: API command to enable/disable IPSec tunnel

crostron76 — Thu, 17 Mar 2022 22:49:48 GMT

Thanks @JimmyHolland, you were spot on. I had been close with a few commands I had tried throughout the day, and after this post had figured out I needed [@name='localhost.localdomain'], but still couldn't quite get the syntax correct.

On my system since I use curl running from Windows and have a WebUI certificate issued from the device itself I needed a few little tweaks to your command.

This was the winner for me:

curl -X GET "https://<firewall-fqdn>/api/?key=<key>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='IPSec-Tunnel-Name']&element=<disabled>yes</disabled>" --ssl-no-revoke

1> I had to add the double quotes to the command to keep Windows happy.

2> Adding the --ssl-no-revoke element to the command to avoid to schannel revocation error.

Of interest, this device is not managed by panorama so it is a bit strange that initial error I was getting, I too thought it was behaving like the config was pushed by Panorama. However it’s not, this firewall is stand alone and not managed by any panorama instance, as such there is no override command to use.

Thanks again for helping, much appreciated.

Chris.