Hello community
I am trying to STOP / START ipsec tunnels via API.
I sucessfully connected to the API and sent a "tunnel_reset_stats" command to the API and the tunnl statistics get reset. So far so good. I was choosing "tunnel_reset_stats" since that commad requires additional parameters via http POST and so does the tunnel_down and tunnel_up command which ist my goal to achieve. I am using Powershell and the following code to reset the stats and it works:
==== CODE ====
$ApiToken = "[redacted]"
$body = @{
"p1name" = "[Phase1Name]"
}
$EndPoint = "https://[firewall-ip]/api/v2/monitor/vpn/ipsec/tunnel_reset_stats?access_token=$ApiToken"
$header = @{ "Authorization" = "Bearer $ApiToken" }
$action = Invoke-RestMethod -Method POST -Uri $EndPoint -Headers $Header -Body ($body|ConvertTo-Json) -ContentType "application/json"
==== CODE ====
Now accoring to the API documentation the tunnel_up and tunnel_down command needs 2 parameters (p1name and p2name). so I adapted my script as following:
==== CODE ====
$ApiToken = "[redacted]"
$body = @{
"p1name" = "[Phase1Name]"
"p2name" = "[Phase2Name]"
}
$EndPoint = "https://[firewall-ip]/api/v2/monitor/vpn/ipsec/tunnel_down?access_token=$ApiToken"
$header = @{ "Authorization" = "Bearer $ApiToken" }
$action = Invoke-RestMethod -Method POST -Uri $EndPoint -Headers $Header -Body ($body|ConvertTo-Json) -ContentType "application/json"
==== CODE ====
You can see the only thing i changed was the additional parameter p2name wihch is required.I get the following error:
Invoke-RestMethod : {
"http_method":"POST",
"status":"error",
"http_status":500,
"vdom":"root",
"path":"vpn",
"name":"ipsec",
"action":"tunnel_down",
"serial":"[redacted]",
"version":"v7.4.3",
"build":2573
}
Can someone please shed light behind all this?
Kind regards Mike
Hey mike_theknife,
the API request might need a p2serial value in addition to p1name and p2name?
Cheers,
Debbie
Created on 09-12-2024 06:56 AM Edited on 09-12-2024 07:01 AM
Hello Debbie
Thank you for your fast reply!
How do I get the value for p2serial, i tried with 0 with no success.
If I use "diagnose vpn tunnel list name [my_vpn]" I get:
---
name=[my_vpn] ver=2 serial=12 ...
---
Is that serial number from there? If yes how can I get this serial number via API? I want to automate the restart of a tunnel.
Greetings
Mike
Created on 09-12-2024 07:38 AM Edited on 09-12-2024 08:14 AM
Hello Debbie
I tried it with curl too
curl --insecure -X 'POST' \
> 'https://[firewall-ip]/api/v2/monitor/vpn/ipsec/tunnel_down?access_token=[API_Token]' \
> -H 'accept: application/json' -H 'Content-Type: application/json' \
> -d '{ "p1name": "Phase1name","p2name": "Phase2name" }'
{
"path":"vpn",
"name":"ipsec",
"action":"tunnel_down",
"serial":"[redacted]",
"version":"v7.4.3",
"build":2573,
"status":"error",
"http_status":424
I will try again when I know how to get the serial parameter.
A different command works (tunnel_reset_stats)
curl --insecure -X 'POST' 'https://[Firewall-IP]/api/v2/monitor/vpn/ipsec/tunnel_reset_stats?access_token=[API-Token]' -H 'accept: application/json' -H 'Content-Type: application/json' -d '{
"p1name": "{MY_VPN]" }'
{
"http_method":"POST",
"status":"success",
"http_status":200,
"vdom":"root",
"path":"vpn",
"name":"ipsec",
"action":"tunnel_reset_stats",
"serial":"[redacted]",
"version":"v7.4.3",
"build":2573
Greetings Mike
Hey Mike,
my lab is not currently cooperating, so I can't get this live, but from some internal API documentation it looks like a GET request to /api/v2/monitor/vpn/ipsec should return an array of tunels (optionally you can filter on the tunnel), and that should include the p2serial value.
Example screenshot:
So you could do a GET to /vpn/ipsec first to get the p2serial, then POST to /vpn/ipsec/tunnel_down
Hello Debbie
you were right it needed the parmeter p2serial altho it was mentioned as not mandatory in the documentation. With /api/v2/monitor/vpn/ipsec is retrieved all the tunnels and found the serial number which I then used in my Script to stop the ipsec tunnel.
==== WORKING POWERSHELL CODE ====
$ApiToken = "[redacted]"
$body = @{
"p1name" = "[Phase1Name]"
"p2name" = "[Phase2Name]"
"p2serial" = [10] (whatever serial your tunnel has from /api/v2/monitor/vpn/ipsec)
}
$EndPoint = "https://[firewall-ip]/api/v2/monitor/vpn/ipsec/tunnel_down?access_token=$ApiToken"
$header = @{ "Authorization" = "Bearer $ApiToken" }
$action = Invoke-RestMethod -Method POST -Uri $EndPoint -Headers $Header -Body ($body|ConvertTo-Json) -ContentType "application/json"
==== CODE ====
My question is does the serial number change, when I include it in a script and it changes the script will obviously fail. Is the serial set when the tunnel gets initially set up and stays for the duration of its lifetime?
Greetings Mike
Hey Mike,
as far as I know, the serial can change, so a script to read the serial from GET request and store it in a variable is probably the way to go,
Cheers,
Debbie
Hello Debbie
Thanks again for your effort!
When i have a ipsec tunnel with several phase2 definitions will i have to get all the p2serial Parameters or is there a way to take down the entire tunnel like the feature in the gui? If there was a way to send cli commands through the API I would be set.
Greetings Mike
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1744 | |
1114 | |
760 | |
447 | |
241 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.