Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ibosscloud
Explorer
Jump to solution

Update Existing VTI (vpnt) Interface Topology Setttings

Hi There, 

Is there any way via CLI to update the topology settings for a numbered VTI interface that already exists without deleting all other network interfaces under the gateway?

 

We are attempting to set the "Leads To" value to "All_Internet" on the VTI interface via CLI.

Capture.PNG

 

Using the "set simple-gateway" removes all existing interfaces on an interface change, unfortunately. 

Is there any other command that can be can used?

 

We could certainly create the VTI interfaces initially if this makes it easier, rather than update existing ones but I can't see a way to do that so far.

 

 

These are the steps we have been working through, currently (Step 4 - Set Topology "Leads to") is where this question relates, 

 

Any ideas would be greatly appreciated, thank you!

 

Step 1 - Create virtual tunnel interfaces “VTI“

add vpn tunnel 1 type numbered local 192.168.85.3 remote 192.168.85.5 peer ibosscloud-1
add vpn tunnel 2 type numbered local 192.168.85.4 remote 192.168.85.6 peer ibosscloud-2

set interface vpnt1 state on
set interface vpnt1 mtu 1500
set interface vpnt2 state on
set interface vpnt2 mtu 1500

 

 

Step 2 - Create “IP Reachability Detection“ - Monitoring Profiles

set ip-reachability-detection ping interval 10
set ip-reachability-detection ping address 192.168.85.5 enable-ping on
set ip-reachability-detection ping address 192.168.85.6 enable-ping on

 

Step 3 - Discover VTI Interfaces

get-interfaces target-name gw-102690 with-topology true

 

Step 4 - Set Topology "Leads to"

????????

 

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

When you use set-simple-gateway to change existing interface settings, you also have to (re)define all the other interfaces at the same time or they are lost.
This is currently the expected behavior of the API.
However, if you’re doing this programmatically, you should be able to obtain all the necessary settings in order to recreate them.

View solution in original post

0 Kudos
12 Replies
the_rock
Legend
Legend

I tried doing same many times and it never worked, so I just assumed logically its not possible without deleting it and then re-creating again. Even had TAC case about it for weeks and no one could find the solution.

0 Kudos
ibosscloud
Explorer

Thank you, from what we can see this is preventing vendor integration via cli/api.

Amazon and other vendors simply cannot do via CLI for route mode VPN. 

 

We have a UI integration guide for routed mode x2 tunnels and monitored policy-based routing for redundant failover.

However, we really want to translate this to CLI which setting the topology on an existing VTI interface is very invasive to the existing customer interfaces.

 

Happy to connect with anyone at Checkpoint to share our integration guides and partner up on the documentation we have. 

0 Kudos
PhoneBoy
Admin
Admin

When you use set-simple-gateway to change existing interface settings, you also have to (re)define all the other interfaces at the same time or they are lost.
This is currently the expected behavior of the API.
However, if you’re doing this programmatically, you should be able to obtain all the necessary settings in order to recreate them.

0 Kudos
ibosscloud
Explorer

Thanks!, yes this is what I was asking, how could we say build a numbered VTI interface, define the peer name and peer ID's while setting the topology "leads to"?

 

"add vpn tunnel" doesn't support setting the topology, is there another command to do this than "set simple-gateway"

 

 

0 Kudos
PhoneBoy
Admin
Admin

Topology is a function of the firewall, which requires changing the relevant gateway object.
The only way to do that via the API/CLI is using set-simple-gateway.

0 Kudos
ibosscloud
Explorer

Understood so this just loops back to the original problem, where using this command deletes all other network interfaces under the gateway?

 

 

0 Kudos
the_rock
Legend
Legend

Wait a moment, I just realized something when I looked at more carefully at your post. I checked in one customer's config and in their dashboard, I can click and change the topology on vti without any issues. Is it possible (not saying 100%) that someone might have a lock in dashboard on that object? Usually when you see message like that "object is viewed in read only mode", its certainly a possibility.

If you navigate to manage and settings -> sessions -> view sessions -> make sure there are no locks present there, but if there are, right click and take over or discard.

 

Andy

0 Kudos
ibosscloud
Explorer

Hey its more via CLI than UI so I was exploring that possibility it seems the command is set simple-gateway which impacts all other existing interfaces if you need to alter an interface property. 

0 Kudos
the_rock
Legend
Legend

No, I get it, I understood that part, but why do it that way if you can change it via dashboard without impacting anything else?

0 Kudos
ibosscloud
Explorer

Because of integration and automation for many customers. 

0 Kudos
the_rock
Legend
Legend

K, fair enough. With that part, I will let @PhoneBoy guide you, since he is CP king...I honestly dont use API much, so wont even pretend : )

0 Kudos
ibosscloud
Explorer

I appreciate your help anyway,  As it's working as expected we'll have to work around that and use what we have. Thanks again 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events