https://live.paloaltonetworks.com/t5/prisma-access-insights/why-should-tunnel-monitoring-be-considered-when-there-is-already/m-p/567217#M12 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/230645">@AkashThangavel</a> ,</P> <P>Please note that I don't have any experience with Prisma Access, but I can make an educated guess:"<BR /><BR />- I would assume Prisma Access "Tunnel Monitoring" to work exactly the same way as self-hosted/managed Palo Alto firewall. When tunnel monitor is enabled, firewall will generate ping probe packets to the destination IP, and if there is no reply firewall will consider this tunnel as down, even if the IPsec SA (phase1 and phase2) are actually still up. One of the use case of such monitor is to "disable" any static or policy based routes associated with that tunnel and failover the traffic to redundant path. Another benefit is that the constant ping will keep the tunnel up even if there is no actual traffic, which is equivalent to "aways-up" for the VPN tunnel.<BR /><BR />- While the email alert will only indicate that the tunnel is down and most importantly to trigger such alert, IPsec SAs needs to be down (no phase1 or phase2).</P> <P>&nbsp;</P> <P>You&nbsp; are correct that both can triggers an alert event indicating issues with the tunnel, but tunnel monitor take a step further by verifying of the layer3 path over that tunnel is indeed working and provide a way to dynamically switch to redundant path (if you have such in your setup).</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 27 Nov 2023 14:12:43 GMT aleksandar.astardzhiev 2023-11-27T14:12:43Z https://live.paloaltonetworks.com/t5/prisma-access-insights/why-should-tunnel-monitoring-be-considered-when-there-is-already/m-p/567196#M11 <P>Hi team,</P> <P>Why should tunnel monitoring be considered when there is already a predefined tunnel status report available in Prisma Access?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AkashThangavel_0-1701087947010.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55433iA5C07E6C93C00386/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AkashThangavel_0-1701087947010.png" alt="AkashThangavel_0-1701087947010.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AkashThangavel_2-1701090527421.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55437i97986FE64AA89A52/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AkashThangavel_2-1701090527421.png" alt="AkashThangavel_2-1701090527421.png" /></span></P> <P>The setup is already predefined; you just need to input the respective email IDs to ensure the timely delivery of the reports.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AkashThangavel_1-1701089096193.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55434iE549CF4F13BDEF59/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AkashThangavel_1-1701089096193.png" alt="AkashThangavel_1-1701089096193.png" /></span></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AkashThangavel_0-1701090350984.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/55435i4D96876C45E72BAD/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="AkashThangavel_0-1701090350984.png" alt="AkashThangavel_0-1701090350984.png" /></span></P> <P>Tunnel monitoring aims to generate critical logs, a task that is already accomplished through the use of these predefined alert codes.</P> <P>&nbsp;</P> <P>Please distinguish this variation</P> <P>&nbsp;</P> <P>regards,</P> <P>Akash Thangavel</P> <P>Network Security Engineer</P> Mon, 27 Nov 2023 13:09:01 GMT https://live.paloaltonetworks.com/t5/prisma-access-insights/why-should-tunnel-monitoring-be-considered-when-there-is-already/m-p/567196#M11 AkashThangavel 2023-11-27T13:09:01Z https://live.paloaltonetworks.com/t5/prisma-access-insights/why-should-tunnel-monitoring-be-considered-when-there-is-already/m-p/567217#M12 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/230645">@AkashThangavel</a> ,</P> <P>Please note that I don't have any experience with Prisma Access, but I can make an educated guess:"<BR /><BR />- I would assume Prisma Access "Tunnel Monitoring" to work exactly the same way as self-hosted/managed Palo Alto firewall. When tunnel monitor is enabled, firewall will generate ping probe packets to the destination IP, and if there is no reply firewall will consider this tunnel as down, even if the IPsec SA (phase1 and phase2) are actually still up. One of the use case of such monitor is to "disable" any static or policy based routes associated with that tunnel and failover the traffic to redundant path. Another benefit is that the constant ping will keep the tunnel up even if there is no actual traffic, which is equivalent to "aways-up" for the VPN tunnel.<BR /><BR />- While the email alert will only indicate that the tunnel is down and most importantly to trigger such alert, IPsec SAs needs to be down (no phase1 or phase2).</P> <P>&nbsp;</P> <P>You&nbsp; are correct that both can triggers an alert event indicating issues with the tunnel, but tunnel monitor take a step further by verifying of the layer3 path over that tunnel is indeed working and provide a way to dynamically switch to redundant path (if you have such in your setup).</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 27 Nov 2023 14:12:43 GMT https://live.paloaltonetworks.com/t5/prisma-access-insights/why-should-tunnel-monitoring-be-considered-when-there-is-already/m-p/567217#M12 aleksandar.astardzhiev 2023-11-27T14:12:43Z