API command to enable/disable IPSec tunnel

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

API command to enable/disable IPSec tunnel

L1 Bithead

Hi all,

 

I am trying to enable/disable an IPSec via the API but cannot produce a command that works.

 

I am currently trying this command to disable the tunnel

curl -X GET "<firewall-fqdn>//api/?&type=config&action=set&xpath=/config/devices/entry[@name="<firewall-fqdn>"]/network/tunnel/ipsec/entry[@name="IPSec-Tunnel-Name"]/disabled&element=<disabled>yes</disabled>&key=<key>" --ssl-no-revoke

 

It returns the error:

<response status="error" code="13"><msg><line>set failed, may need to override template object  first</line></msg></response>

 

Can someone please let me know where I am going wrong?

 

Thanks,

Chris.

IT Professional
1 accepted solution

Accepted Solutions

L5 Sessionator

Hi @crostron76, here is an API call that successfully disables an IPsec VPN in configuration (needing a commit to make the change happen):

https://{{host}}/api/?key={{key}}&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='{{tunnelname}}']&element=<disabled>yes</disabled>

 

I think there are a couple of things with the original command.
[@name="<firewall-fqdn>"] needs to be [@name='localhost.localdomain']

- The /disabled is not needed at the end of the xpath, as we are setting the disabled element in the element= section of the API call

- The error "may need to override template object first" implies that the IPsec config was sent from Panorama via a template, not created on the NGFW locally. Ideally, you would therefore make the change to disable the IPsec VPN from Panorama, not locally on the firewall, in order to keep Panorama and NGFW in-sync. Per the documentation, you can change action=set in the API call to be action=override in order to locally override the template configuration, but consider if this is the solution you want to proceed with.

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

View solution in original post

2 REPLIES 2

L5 Sessionator

Hi @crostron76, here is an API call that successfully disables an IPsec VPN in configuration (needing a commit to make the change happen):

https://{{host}}/api/?key={{key}}&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='{{tunnelname}}']&element=<disabled>yes</disabled>

 

I think there are a couple of things with the original command.
[@name="<firewall-fqdn>"] needs to be [@name='localhost.localdomain']

- The /disabled is not needed at the end of the xpath, as we are setting the disabled element in the element= section of the API call

- The error "may need to override template object first" implies that the IPsec config was sent from Panorama via a template, not created on the NGFW locally. Ideally, you would therefore make the change to disable the IPsec VPN from Panorama, not locally on the firewall, in order to keep Panorama and NGFW in-sync. Per the documentation, you can change action=set in the API call to be action=override in order to locally override the template configuration, but consider if this is the solution you want to proceed with.

 

Hope that helps!

Help the community: "Like" helpful comments, and click "Accept as Solution" if you found your answer 🙂

Thanks @JimmyHolland, you were spot on.  I had been close with a few commands I had tried throughout the day, and after this post had figured out I needed [@name='localhost.localdomain'], but still couldn't quite get the syntax correct.

 

On my system since I use curl running from Windows and have a WebUI certificate issued from the device itself I needed a few little tweaks to your command.

 

This was the winner for me:

curl -X GET "https://<firewall-fqdn>/api/?key=<key>&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/ipsec/entry[@name='IPSec-Tunnel-Name']&element=<disabled>yes</disabled>" --ssl-no-revoke

 

1> I had to add the double quotes to the command to keep Windows happy.

2> Adding the --ssl-no-revoke element to the command to avoid to schannel revocation error.

 

Of interest, this device is not managed by panorama so it is a bit strange that initial error I was getting, I too thought it was behaving like the config was pushed by Panorama.  However it’s not, this firewall is stand alone and not managed by any panorama instance, as such there is no override command to use.

 

Thanks again for helping, much appreciated.

Chris.

IT Professional
  • 1 accepted solution
  • 3151 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!