12-03-2010 08:09 AM
Is there a CLI command to disable (shutdown) a tunnel interface on a PAN firewall ?
there is currently no command to disable a tunnel interface.
02-28-2012 10:10 AM
Is there one now
If not, I have a work-around. Will post next as attachment.
02-28-2012 11:51 AM
WTF a cliffhanger? 😃
02-28-2012 01:08 PM
02-28-2012 10:13 PM
Curious why you want to shutdown a tunnel interface. This is a logical interface and not really tied to a physical interface as such. What are you trying to accomplish by shutting down tunnel interface?
Having said that, you can enable tunnel monitoring as that can basically disable the tunnel interface if the VPN is down to influence routing protocols. Is that what you are trying to do?
02-29-2012 09:15 AM
Many reasons, but I'll give the two, which I'm using it for right now. First, is a VPN between client(s) and myself. I don't want to leave it up at all times, just bring it up when needed. This will relieve routing conflicts between overlapping schemes among different clients and myself. Second, we moved from an old VPN between a Cisco (remote device) on one side and PA on the other to a complete Palo Alto solution. I want to avoid any chance of traffic routing over the old VPN and the only way to ensure this is to disable it, but PA doesn't allow an admin down state like Cisco does, BTW, why is that? SOP to leave the old infra in place until the new is proven good and stable. If a problem arises, simply fall back to the old VPN.
03-07-2012 10:15 AM
03-07-2012 02:39 PM
I guess you would just bitchslap me if I returned your "Patience, Daniel-san..."? 😉
03-07-2012 03:19 PM
LOL! two-shay... Then I would say, damn you guys are slow... ha
08-22-2012 06:08 AM
This is a rather old thread, but did someone find a way to get this done?
I was thinking of doing a shutdown of the tunnel interface or to the tunnel but couldn't find a way to do it.
08-23-2012 05:08 AM
My workaround is the following:Block all IPSEC traffic to/from the termination point
It is not nice, but it works
12-07-2022 01:02 PM
Since I didn't see anyone providing a solution i just chose "disable" for each tunnel in the GUI and then did a commit.
The 3 tunnels went RED for status but IKE is still green which makes no sense.
It seems there should be a simple CLI command like "test vpn tunnel tunnelname" (stop/start disable/enable) to do this easily but nobody suggested one so i assume one does not exist.
I have 2 customers we have stopped supporting so I wanted to disable the tunnels.
If they resume support/buy new products then I will just enable it instead of going through the whole tunnel building process.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!