How to get notifications about IPSec tunnel status

How to get notifications about IPSec tunnel status

44784
Created On 09/25/18 19:52 PM - Last Modified 06/09/23 09:09 AM


Resolution


Issue

The Palo Alto Networks firewall currently doesn't have SNMP OIDs to monitor IPSec tunnel status, so network management systems cannot rely on SNMP protocol to receive notifications when the IPSec tunnel on the Palo Alto Networks firewall changes it's status.  

 

 

Workaround

Perform the following workaround on the Palo Alto Networks firewall:

  1. Configure and enable IPSec Tunnel Monitor feature for the desired IPSec tunnel.(https://live.paloaltonetworks.com/docs/DOC-1323)
  2. Configure the Syslog server profile to send syslog messages to the desired Syslog server.(https://live.paloaltonetworks.com/docs/DOC-3837)
  3. Go to Device > Log Setting > System to send logs to previously created Syslog server.

 

When the tunnel monitor fails the firewall generates the following message in the system log:

 

Time Severity Subtype Object EventID ID Description
===============================================================================
2015/03/15 13:24:34 low vpn <object name> tunnel- 0 Tunnel <tunnel name> is down

 

The Syslog server receives a "tunnel down" message. After the IPSec tunnel is brought up, the tunnel interface also goes up and a new message "tunnel is UP" is generated in the system logs. Then, a newly generated log is sent to the Syslog server.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgECAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language