I want to disable an IPSec VPN. I have currently blocked traffic both directions to the tunnel by using a Security Policies, but there should be a way to disable the tunnel in the IPSec configuration (or alternatively, disable the tunnel interface). I don't want to delete it, but I don't want it taking up processor speed for a tunnel that I don't want turned on.
Currently, there isn't a nice "disable" button for IPSec Tunnel Configuration - but I do see the value in being able to disable tunnels at-will. For this case, I have created an "IKE Gateway" called "disabled" and populated it with bogus information. Then, when I need to disable a tunnel, I go change the IKE Gateway to "disabled" and commit. It has the same effect - and I've deleted nothing.
Hope that helps.
Agreed - it's a workaround - not a complete solution.
Ultimately, if you want a "disable" button in the IPSec configuration, you'll need to file a Feature Request with your local Palo Alto Networks sales engineer.
I agree that this would be a nice feature. I ran into an issue a couple of days ago where the VPN link between our PA and a Cisco ASA died after a software upgrade on the PA. I had no way kick start the PA to get it to retry making a connection to the remote site. I had to go into the CLI to do this. Having buttons on the GUI to be able to test the link or reset the link would be handy.
I also noticed that the link status never even updated when the link went down, which is concerning.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!