- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-28-2020 10:34 AM
Hi Guys,
We have site to site vpn tunnel to client . Now client have tools that can call api from our side that can see vpn tunnel is down or not and reset it. But how we can give access to api to only specifi vpn tunnel to reset like ( clear & test )
/api/?type=op&cmd=<test><vpn><ike-sa><gateway></gateway></ike-sa></vpn></test>
/api/?type=op&cmd=<test><vpn><ipsec-sa><tunnel></tunnel></ipsec-sa></vpn></test>
Can anyone help where i can add the name and key it like the vpn tunnel name is ( ABC-VPN)
What will be full command before we forward them.
We can reset by command line.
test vpn ike-sa gateway ABC-VPN
test vpn ipsec-sa tunnel ABC-VPN
10-29-2020 04:22 AM
The rbac functionality for api users are quite limited, so its not possible. I have heard that 10.0 will be better but not to what extent.
Other vendors have had the possibility to just allow certain commands for users but palo lacks here imo.
Not sure on how you enviorment is setup, there is always the issue with the client modify the script and run other commands that you dont want. Perhaps just having a simple webportal where they can click one button?
10-29-2020 03:01 AM
So do you want to limit so this api users to only be able to run just a few commands? In this case reseting the vpn?
10-29-2020 03:21 AM
Yes. I want to limit the client by just only able to reset only his own VPN sit to sit tunnel.
10-29-2020 04:22 AM
The rbac functionality for api users are quite limited, so its not possible. I have heard that 10.0 will be better but not to what extent.
Other vendors have had the possibility to just allow certain commands for users but palo lacks here imo.
Not sure on how you enviorment is setup, there is always the issue with the client modify the script and run other commands that you dont want. Perhaps just having a simple webportal where they can click one button?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!