The Palo Alto Networks firewall currently doesn't have SNMP OIDs to monitor IPSec tunnel status, so network management systems cannot rely on SNMP protocol to receive notifications when the IPSec tunnel on the Palo Alto Networks firewall changes it's status.
Workaround
Perform the following workaround on the Palo Alto Networks firewall:
Go to Device > Log Setting > System to send logs to previously created Syslog server.
When the tunnel monitor fails the firewall generates the following message in the system log:
Time Severity Subtype Object EventID ID Description =============================================================================== 2015/03/15 13:24:34 low vpn <object name> tunnel- 0 Tunnel <tunnel name> is down
The Syslog server receives a "tunnel down" message. After the IPSec tunnel is brought up, the tunnel interface also goes up and a new message "tunnel is UP" is generated in the system logs. Then, a newly generated log is sent to the Syslog server.