cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Tunnel monitoring using internal src to external dst?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
mike406
L2 Linker
‎01-24-2019 04:00 PM
‎01-24-2019 04:00 PM

Tunnel monitoring using internal src to external dst?

Is it possible to monitor VPN tunnels using an internal source IP on my tunnel interface and the external IP of the other system? I won't always have control/access to the other side of the tunnel, I may only know the local subnet(s) and the external IP.

0 Likes
Reply

Accepted Solutions
OtakarKlier
Cyber Elite
Cyber Elite
‎01-25-2019 09:52 AM
‎01-25-2019 09:52 AM

Hello,

The 'destination IP' can be anything that is pingable on the other end of the tunnel. Perhaps the internal interface of the other sides firewall? Just soemthing that is always %100 up so you dont get false positives.

 

Does this help?

View solution in original post

0 Likes
Reply

All Replies
reaper
L7 Applicator
‎01-25-2019 04:57 AM
‎01-25-2019 04:57 AM

if you 'number' all your tunnels (set a /30 subnet ip on each end) you can simply monitor the remote tunnel interface

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
0 Likes
Reply
mike406
L2 Linker
‎01-25-2019 07:53 AM
‎01-25-2019 07:53 AM

I don't follow you. I don't have access to each end, I only have access to my end. I know the external IP and the local subnets of the other end. The other end is generally not a PA firewall.

 

Can you give an example of what should be set for IPsec Tunnel -> Tunnel Monitor -> Destination IP ?

 

 

0 Likes
Reply
OtakarKlier
Cyber Elite
Cyber Elite
‎01-25-2019 09:52 AM
‎01-25-2019 09:52 AM

Hello,

The 'destination IP' can be anything that is pingable on the other end of the tunnel. Perhaps the internal interface of the other sides firewall? Just soemthing that is always %100 up so you dont get false positives.

 

Does this help?

View solution in original post

0 Likes
Reply
mike406
L2 Linker
‎01-25-2019 10:33 AM
‎01-25-2019 10:33 AM

Okay, I've got it figured out. I also see the tunnel-status-up and tunnel-status-down messages in the system logs.

 

Are there any plans to add a GUI indicator for tunnel monitoring status?

0 Likes
Reply
OtakarKlier
Cyber Elite
Cyber Elite
‎01-25-2019 10:34 AM
‎01-25-2019 10:34 AM

Already have one Network Tab-> IPSec Tunnels

0 Likes
Reply
mike406
L2 Linker
‎01-25-2019 12:29 PM
‎01-25-2019 12:29 PM

That doesn't show monitoring status...the tunnel may be up, but monitoring might be in a down state because of a changed IP address (for example).

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks