11-09-2022 03:34 AM
Hi @RogerMccarrick,
Understood. Originally I was just trying to answer the interface query, but I took a broader look at the config elements for GP Gateway and here's what I observed when I looked at the XML config for a successfully configured and working GP Gateway.
The config for a Gateway is split across two Xpaths:
/config/devices/entry[@name='localhost.localdomain']/network/tunnel/global-protect-gateway
and
/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/global-protect/global-protect-gateway
which may explain the challenges you are facing if you are (an assumption from your original post) only targeting the latter of these. A debug of the GUI shows two set calls, one to each Xpath.
Under the first Xpath it seems to look like this:
<global-protect-gateway>
<entry name="gateway-N">
<client>
<exclude-video-traffic>
<applications />
<enabled>yes</enabled>
</exclude-video-traffic>
<dns-server>
<primary>192.168.1.1</primary>
<secondary>8.8.8.8</secondary>
</dns-server>
<dns-suffix>
<member>test.local</member>
</dns-suffix>
<dns-suffix-inherited>no</dns-suffix-inherited>
</client>
<ipsec>
<third-party-client>
<enable>no</enable>
</third-party-client>
</ipsec>
<local-address>
<interface>ethernet1/3</interface>
<ip>
<ipv4>192.168.190.254/24</ipv4>
</ip>
</local-address>
<ip-pool>
<member>192.168.170.128-192.168.170.191</member>
</ip-pool>
<tunnel-interface>tunnel.1</tunnel-interface>
</entry>
</global-protect-gateway>
And under the second it looks like this:
<global-protect-gateway>
<entry name="gateway">
<roles>
<entry name="default">
<login-lifetime>
<days>30</days>
</login-lifetime>
<inactivity-logout>10</inactivity-logout>
</entry>
</roles>
<client-auth>
<entry name="mfa">
<os>Any</os>
<authentication-profile>mfa-auth-profile</authentication-profile>
<authentication-message>Enter login credentials</authentication-message>
<user-credential-or-client-cert-required>yes</user-credential-or-client-cert-required>
<auto-retrieve-passcode>no</auto-retrieve-passcode>
<username-label>Username</username-label>
<password-label>Password</password-label>
</entry>
<entry name="Local">
<os>Any</os>
<authentication-profile>local-auth-profile</authentication-profile>
<authentication-message>Enter login credentials</authentication-message>
<user-credential-or-client-cert-required>yes</user-credential-or-client-cert-required>
<auto-retrieve-passcode>no</auto-retrieve-passcode>
<username-label>Username</username-label>
<password-label>Password</password-label>
</entry>
</client-auth>
<remote-user-tunnel-configs>
<entry name="gp-client">
<authentication-override>
<accept-cookie>
<cookie-lifetime>
<lifetime-in-days>30</lifetime-in-days>
</cookie-lifetime>
</accept-cookie>
<cookie-encrypt-decrypt-cert>pan-os-sub-ca</cookie-encrypt-decrypt-cert>
<generate-cookie>no</generate-cookie>
</authentication-override>
<split-tunneling>
<access-route>
<member>0.0.0.0/0</member>
</access-route>
</split-tunneling>
<source-user>
<member>any</member>
</source-user>
<dns-server>
<member>192.168.1.254</member>
</dns-server>
<dns-suffix>
<member>test.local</member>
</dns-suffix>
<os>
<member>any</member>
</os>
<retrieve-framed-ip-address>no</retrieve-framed-ip-address>
<no-direct-access-to-local-network>no</no-direct-access-to-local-network>
</entry>
</remote-user-tunnel-configs>
<ssl-tls-service-profile>cert-profile</ssl-tls-service-profile>
<tunnel-mode>yes</tunnel-mode>
<remote-user-tunnel>tunnel.1</remote-user-tunnel>
<log-success>yes</log-success>
<log-setting>default</log-setting>
</entry>
</global-protect-gateway>
I created two XML API calls to replicate all this, they looked like this:
https://{{host}}/api/?key={{key}}&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/network/tunnel/global-protect-gateway/entry[@name='new-gw-N']&element=<local-address><ip><ipv4>192.168.1.1/24</ipv4></ip><interface>ethernet1/4</interface><ip-address-family>ipv4</ip-address-family></local-address><client><exclude-video-traffic><applications/><enabled>no</enabled></exclude-video-traffic></client><ipsec><third-party-client><enable>no</enable></third-party-client></ipsec><ip-pool/><tunnel-interface>tunnel.2</tunnel-interface>and this:
https://{{host}}/api/?key={{key}}&type=config&action=set&xpath=/config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='vsys1']/global-protect/global-protect-gateway/entry[@name='new-gw']&element=<roles><entry name="default"><login-lifetime><days>30</days></login-lifetime><inactivity-logout>180</inactivity-logout></entry></roles><client-auth><entry name="local"><os>Any</os><authentication-profile>local-auth-profile</authentication-profile><authentication-message>Enter login credentials</authentication-message><user-credential-or-client-cert-required>no</user-credential-or-client-cert-required><auto-retrieve-passcode>no</auto-retrieve-passcode><username-label>Username</username-label><password-label>Password</password-label></entry></client-auth><remote-user-tunnel-configs><entry name="new-gw"><split-tunneling><include-domains><list/></include-domains><exclude-domains><list/></exclude-domains><access-route/><exclude-access-route/><include-applications/><exclude-applications/></split-tunneling><authentication-override><generate-cookie>no</generate-cookie></authentication-override><source-address><ip-address/><region/></source-address><source-user><member>any</member></source-user><authentication-server-ip-pool/><ip-pool><member>10.10.10.10-10.10.10.20</member></ip-pool><os><member>any</member></os><retrieve-framed-ip-address>no</retrieve-framed-ip-address><no-direct-access-to-local-network>no</no-direct-access-to-local-network></entry></remote-user-tunnel-configs><ssl-tls-service-profile>cert-profile</ssl-tls-service-profile><log-success>yes</log-success><log-setting>default</log-setting><tunnel-mode>yes</tunnel-mode><remote-user-tunnel>tunnel.2</remote-user-tunnel>and that seemed to create a valid GP Gateway, including the items you have called out as an issue, like interface, tunnel mode, tunnel interface, etc.
I hope this helps to give you more insight and a path forward.
