03-16-2022 06:34 PM
Hi all,
I am trying to enable/disable an IPSec via the API but cannot produce a command that works.
I am currently trying this command to disable the tunnel
curl -X GET "<firewall-fqdn>//api/?&type=config&action=set&xpath=/config/devices/entry[@name="<firewall-fqdn>"]/network/tunnel/ipsec/entry[@name="IPSec-Tunnel-Name"]/disabled&element=<disabled>yes</disabled>&key=<key>" --ssl-no-revoke
It returns the error:
<response status="error" code="13"><msg><line>set failed, may need to override template object first</line></msg></response>
Can someone please let me know where I am going wrong?
Thanks,
Chris.
03-17-2022 03:27 AM
Hi @crostron76, here is an API call that successfully disables an IPsec VPN in configuration (needing a commit to make the change happen):
https://{{host}}/api/?key={{key}}&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='{{tunnelname}}']&element=<disabled>yes</disabled>
I think there are a couple of things with the original command.
- [@name="<firewall-fqdn>"] needs to be [@name='localhost.localdomain']
- The /disabled is not needed at the end of the xpath, as we are setting the disabled element in the element= section of the API call
- The error "may need to override template object first" implies that the IPsec config was sent from Panorama via a template, not created on the NGFW locally. Ideally, you would therefore make the change to disable the IPsec VPN from Panorama, not locally on the firewall, in order to keep Panorama and NGFW in-sync. Per the documentation, you can change action=set in the API call to be action=override in order to locally override the template configuration, but consider if this is the solution you want to proceed with.
Hope that helps!
03-17-2022 03:27 AM
Hi @crostron76, here is an API call that successfully disables an IPsec VPN in configuration (needing a commit to make the change happen):
https://{{host}}/api/?key={{key}}&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='{{tunnelname}}']&element=<disabled>yes</disabled>
I think there are a couple of things with the original command.
- [@name="<firewall-fqdn>"] needs to be [@name='localhost.localdomain']
- The /disabled is not needed at the end of the xpath, as we are setting the disabled element in the element= section of the API call
- The error "may need to override template object first" implies that the IPsec config was sent from Panorama via a template, not created on the NGFW locally. Ideally, you would therefore make the change to disable the IPsec VPN from Panorama, not locally on the firewall, in order to keep Panorama and NGFW in-sync. Per the documentation, you can change action=set in the API call to be action=override in order to locally override the template configuration, but consider if this is the solution you want to proceed with.
Hope that helps!
03-17-2022 03:49 PM
Thanks @JimmyHolland, you were spot on. I had been close with a few commands I had tried throughout the day, and after this post had figured out I needed [@name='localhost.localdomain'], but still couldn't quite get the syntax correct.
On my system since I use curl running from Windows and have a WebUI certificate issued from the device itself I needed a few little tweaks to your command.
This was the winner for me:
curl -X GET "https://<firewall-fqdn>/api/?key=<key>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='IPSec-Tunnel-Name']&element=<disabled>yes</disabled>" --ssl-no-revoke
1> I had to add the double quotes to the command to keep Windows happy.
2> Adding the --ssl-no-revoke element to the command to avoid to schannel revocation error.
Of interest, this device is not managed by panorama so it is a bit strange that initial error I was getting, I too thought it was behaving like the config was pushed by Panorama. However it’s not, this firewall is stand alone and not managed by any panorama instance, as such there is no override command to use.
Thanks again for helping, much appreciated.
Chris.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
