Enable/Disable sites in Policy Based VPN Topology

[EtienneMILON]

Hello,

Is it possible to enable or disable VPN Site in Policy Based VPN Topology ?

I am doing something like that :

pb_vpn = PolicyVPN.get("VPN_name")
pb_vpn.open()
list(list(pb_vpn.satellite_gateway_node)[0].enabled_sites)
list(list(pb_vpn.satellite_gateway_node)[0].disabled_sites)

=> I can see enabled and disabled sites

But when trying to update :

list(pb_vpn.satellite_gateway_node)[0].update(enabled_sites=[])
>>> smc.api.exceptions.UpdateElementFailed: Invalid JSON format: At line 1 and column 713, enabled_sites is not recognized as JSON attribute.

Do you know if there is another way to do this please ?

[EtienneMILON]

Hello,

I have also seen that I can retrieve VPN site configuration directly from the engine :

vpn_pb = {}
for one_vpn in PolicyVPN.objects.all():
    vpn_pb.update({
        one_vpn.name: one_vpn.key,
        one_vpn.key: one_vpn.name,
    })
engine = Engine("my_firewall")
engine_vpn = {}
for site in engine.vpn.sites:
    for ref in site.vpn_references:
        if ref["vpn_id"] in vpn_pb.keys():
            if vpn_pb.get(ref["vpn_id"]) not in engine_vpn.keys():
                engine_vpn[vpn_pb.get(ref["vpn_id"])] = {}
            engine_vpn[vpn_pb.get(ref["vpn_id"])].update({site.name: ref})

Is it possible to update these sites (enable/disable and mode) ?

[ad1rie1]

Salut Etienne !
Truc comme ca :

class ConnectionType(Element):
    typeof = 'connection_type'

class EndpointTunnel(SubElement):
    """
    A gateway tunnel represents the point to point connection
    between two IPSEC endpoints in a PolicyVPN configuration. 
    The tunnel arrangement is based on whether the nodes are placed
    as a central gateway or a satellite gateway. This provides access
    to see the point to point connections, whether the link is enabled,
    and setting the presharred key.
    """

    def enable_disable(self):
        """
        Enable or disable the tunnel link between endpoints.
        
        :raises UpdateElementFailed: failed with reason
        :return: None
        """
        if self.enabled:
            self.update(enabled=False)
        else:
            self.update(enabled=True)
    
    @property
    def enabled(self):
        """          
        Whether the VPN link between endpoints is enabled
        
        :rtype: bool
        """
        return self.data.get('enabled', False)
    
    
    @property
    def tunnel_side_a(self):
        """
        Return the gateway node for tunnel side A. This will
        be an instance of GatewayNode.
        
        :rtype: GatewayNode
        """
        return type('TunnelSideA', (InternalEndpoint,), {
            'href': self.data.get('endpoint_1')})()
    
    @property
    def tunnel_side_b(self):
        """
        Return the gateway node for tunnel side B. This will
        be an instance of GatewayNode.
        
        :rtype: GatewayNode
        """
        return type('TunnelSideB', (InternalEndpoint,), {
            'href': self.data.get('endpoint_2')})()
    @property
    def setVPNProfile(self,href):
        return self.data.get('vpn_profile', href)

    def __str__(self):
        return '{0}(tunnel_side_a={1},tunnel_side_b={2})'.format(
            self.__class__.__name__, self.tunnel_side_a.name, self.tunnel_side_b.name)

    def __repr__(self):
        return str(self)
 
 VPNPDV = PolicyVPN(name='VPN-PDV')
    VPNPDV.open()
    ###########MISE EN PLACE DE PROFILE VPN PERSONALISER SUR LES ENDPOINT#############
    for tunnel in VPNPDV.tunnels:
        tunnela = tunnel.tunnel_side_a
        tunnelb = tunnel.tunnel_side_b
        if(tunnel.enabled != ENABLE):
            if(tunnela.name.startswith("FWCENTRAL") and tunnelb.name.startswith("FWDistant") ):
                tunnel.update(enabled=ENABLE)
            

            VPNPDV.save()

[lilianValeroFp]

It is already available in 1.0.20.

[EtienneMILON]

Hello,

Sorry I didn't check this for a long time.
Thanks @ad1rie1, but my question is not relative to Policy Based tunnels but Policy Based VPN sites.

@lilianValeroFp , can you explain what has been implemented in 1.0.20 please ?
I tried again to update VPN site as my first message with fp-NGFW-SMC-python==1.0.24 and SMC 6.10, but I still have the same error.

[MaxPoint67]

Hello,
So enabling disabling site is ok, here is an example.
For vpn_references ( and modes) it is missing and was asked for implementation

given pbvpn is your Policy Based VPN :

pbvpn = PolicyVPN("pbvpn_name")
# depending you want satellite/central here satellite
for gw_node in pbvpn.satellite_gateway_node.all():
    # we look for Plano VPN Gateway
    if gw_node.name == "Plano VPN Gateway":
       # here we look for enabled sites  
       for site in list(gw_node.enabled_sites):
       # here we match site name
         if site.name == "PLANO_SITE":
            site.enable_disable()
pbvpn.save()

[EtienneMILON]

Thanks @MaxPoint67 !

[EtienneMILON]

Hello again,

So it is ok for enable/disable sites.
Do you know if it is possible to set the site mode (private / hub) ?

[lilianValeroFp]

Hi, we are investigating this part. We let you posted.