- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
- LIVEcommunity
- Collaboration
- Discussions
- General Topics
- Tunnel monitoring using internal src to external dst?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-24-2019 04:00 PM
Is it possible to monitor VPN tunnels using an internal source IP on my tunnel interface and the external IP of the other system? I won't always have control/access to the other side of the tunnel, I may only know the local subnet(s) and the external IP.
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-25-2019 09:52 AM
Hello,
The 'destination IP' can be anything that is pingable on the other end of the tunnel. Perhaps the internal interface of the other sides firewall? Just soemthing that is always %100 up so you dont get false positives.
Does this help?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-25-2019 04:57 AM
if you 'number' all your tunnels (set a /30 subnet ip on each end) you can simply monitor the remote tunnel interface
Like my answer? check out my book! https://bit.ly/MasteringPAN
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-25-2019 07:53 AM
I don't follow you. I don't have access to each end, I only have access to my end. I know the external IP and the local subnets of the other end. The other end is generally not a PA firewall.
Can you give an example of what should be set for IPsec Tunnel -> Tunnel Monitor -> Destination IP ?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-25-2019 09:52 AM
Hello,
The 'destination IP' can be anything that is pingable on the other end of the tunnel. Perhaps the internal interface of the other sides firewall? Just soemthing that is always %100 up so you dont get false positives.
Does this help?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-25-2019 10:33 AM
Okay, I've got it figured out. I also see the tunnel-status-up and tunnel-status-down messages in the system logs.
Are there any plans to add a GUI indicator for tunnel monitoring status?
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-25-2019 10:34 AM
Already have one Network Tab-> IPSec Tunnels
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-25-2019 12:29 PM
That doesn't show monitoring status...the tunnel may be up, but monitoring might be in a down state because of a changed IP address (for example).
- Site-to-Site VPN private subnets cannot ping eachother through the tunnel in General Topics
- DNAT with different external port to different internal port. in General Topics
- GlobalProtect Mixed Internal and External Gateway and one Portal in GlobalProtect Discussions
- Global Protect Always On When Coming Into the Office in General Topics
- Solution: How To View Cortex XDR Behavioral Threat Protection (BTP) Rules in Cortex XDR Discussions
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
