topic Re: Update Existing VTI (vpnt) Interface Topology Setttings in API / CLI Discussion

Update Existing VTI (vpnt) Interface Topology Setttings

ibosscloud — Thu, 30 Sep 2021 12:26:38 GMT

Hi There,

Is there any way via CLI to update the topology settings for a numbered VTI interface that already exists without deleting all other network interfaces under the gateway?

We are attempting to set the "Leads To" value to "All_Internet" on the VTI interface via CLI.

Using the "set simple-gateway" removes all existing interfaces on an interface change, unfortunately.

Is there any other command that can be can used?

We could certainly create the VTI interfaces initially if this makes it easier, rather than update existing ones but I can't see a way to do that so far.

These are the steps we have been working through, currently (Step 4 - Set Topology "Leads to") is where this question relates,

Any ideas would be greatly appreciated, thank you!

Step 1 - Create virtual tunnel interfaces “VTI“

add vpn tunnel 1 type numbered local 192.168.85.3 remote 192.168.85.5 peer ibosscloud-1 add vpn tunnel 2 type numbered local 192.168.85.4 remote 192.168.85.6 peer ibosscloud-2 set interface vpnt1 state on set interface vpnt1 mtu 1500 set interface vpnt2 state on set interface vpnt2 mtu 1500

Step 2 - Create “IP Reachability Detection“ - Monitoring Profiles

set ip-reachability-detection ping interval 10
set ip-reachability-detection ping address 192.168.85.5 enable-ping on
set ip-reachability-detection ping address 192.168.85.6 enable-ping on

Step 3 - Discover VTI Interfaces

get-interfaces target-name gw-102690 with-topology true

Step 4 - Set Topology "Leads to"

????????

Re: Update Existing VTI (vpnt) Interface Topology Setttings

the_rock — Thu, 30 Sep 2021 12:33:31 GMT

I tried doing same many times and it never worked, so I just assumed logically its not possible without deleting it and then re-creating again. Even had TAC case about it for weeks and no one could find the solution.

Re: Update Existing VTI (vpnt) Interface Topology Setttings

ibosscloud — Thu, 30 Sep 2021 12:42:34 GMT

Thank you, from what we can see this is preventing vendor integration via cli/api.

Amazon and other vendors simply cannot do via CLI for route mode VPN.

We have a UI integration guide for routed mode x2 tunnels and monitored policy-based routing for redundant failover.

However, we really want to translate this to CLI which setting the topology on an existing VTI interface is very invasive to the existing customer interfaces.

Happy to connect with anyone at Checkpoint to share our integration guides and partner up on the documentation we have.

Re: Update Existing VTI (vpnt) Interface Topology Setttings

PhoneBoy — Thu, 30 Sep 2021 13:47:34 GMT

When you use set-simple-gateway to change existing interface settings, you also have to (re)define all the other interfaces at the same time or they are lost.
This is currently the expected behavior of the API.
However, if you’re doing this programmatically, you should be able to obtain all the necessary settings in order to recreate them.

Re: Update Existing VTI (vpnt) Interface Topology Setttings

ibosscloud — Thu, 30 Sep 2021 15:25:10 GMT

Thanks!, yes this is what I was asking, how could we say build a numbered VTI interface, define the peer name and peer ID's while setting the topology "leads to"?

"add vpn tunnel" doesn't support setting the topology, is there another command to do this than "set simple-gateway"

Re: Update Existing VTI (vpnt) Interface Topology Setttings

PhoneBoy — Thu, 30 Sep 2021 15:38:41 GMT

Topology is a function of the firewall, which requires changing the relevant gateway object.
The only way to do that via the API/CLI is using set-simple-gateway.

Re: Update Existing VTI (vpnt) Interface Topology Setttings

ibosscloud — Thu, 30 Sep 2021 15:51:39 GMT

Understood so this just loops back to the original problem, where using this command deletes all other network interfaces under the gateway?

Re: Update Existing VTI (vpnt) Interface Topology Setttings

the_rock — Thu, 30 Sep 2021 16:06:02 GMT

Wait a moment, I just realized something when I looked at more carefully at your post. I checked in one customer's config and in their dashboard, I can click and change the topology on vti without any issues. Is it possible (not saying 100%) that someone might have a lock in dashboard on that object? Usually when you see message like that "object is viewed in read only mode", its certainly a possibility.

If you navigate to manage and settings -> sessions -> view sessions -> make sure there are no locks present there, but if there are, right click and take over or discard.

Andy

Re: Update Existing VTI (vpnt) Interface Topology Setttings

ibosscloud — Thu, 30 Sep 2021 16:08:07 GMT

Hey its more via CLI than UI so I was exploring that possibility it seems the command is set simple-gateway which impacts all other existing interfaces if you need to alter an interface property.

Re: Update Existing VTI (vpnt) Interface Topology Setttings

the_rock — Thu, 30 Sep 2021 16:09:59 GMT

No, I get it, I understood that part, but why do it that way if you can change it via dashboard without impacting anything else?

Re: Update Existing VTI (vpnt) Interface Topology Setttings

ibosscloud — Thu, 30 Sep 2021 16:11:23 GMT

Because of integration and automation for many customers.

Re: Update Existing VTI (vpnt) Interface Topology Setttings

the_rock — Thu, 30 Sep 2021 16:13:07 GMT

K, fair enough. With that part, I will let @PhoneBoy guide you, since he is CP king...I honestly dont use API much, so wont even pretend : )

Re: Update Existing VTI (vpnt) Interface Topology Setttings

ibosscloud — Thu, 30 Sep 2021 16:16:34 GMT

I appreciate your help anyway, As it's working as expected we'll have to work around that and use what we have. Thanks again