Why should tunnel monitoring be considered when there is already a predefined tunnel status report available in Prisma Access?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Why should tunnel monitoring be considered when there is already a predefined tunnel status report available in Prisma Access?

L2 Linker

Hi team,

Why should tunnel monitoring be considered when there is already a predefined tunnel status report available in Prisma Access?

AkashThangavel_0-1701087947010.png

AkashThangavel_2-1701090527421.png

The setup is already predefined; you just need to input the respective email IDs to ensure the timely delivery of the reports.

AkashThangavel_1-1701089096193.png

AkashThangavel_0-1701090350984.png

Tunnel monitoring aims to generate critical logs, a task that is already accomplished through the use of these predefined alert codes.

 

Please distinguish this variation

 

regards,

Akash Thangavel

Network Security Engineer

Akash Thangavel, Network Security Engineer
1 REPLY 1

Hi @AkashThangavel ,

Please note that I don't have any experience with Prisma Access, but I can make an educated guess:"

- I would assume Prisma Access "Tunnel Monitoring" to work exactly the same way as self-hosted/managed Palo Alto firewall. When tunnel monitor is enabled, firewall will generate ping probe packets to the destination IP, and if there is no reply firewall will consider this tunnel as down, even if the IPsec SA (phase1 and phase2) are actually still up. One of the use case of such monitor is to "disable" any static or policy based routes associated with that tunnel and failover the traffic to redundant path. Another benefit is that the constant ping will keep the tunnel up even if there is no actual traffic, which is equivalent to "aways-up" for the VPN tunnel.

- While the email alert will only indicate that the tunnel is down and most importantly to trigger such alert, IPsec SAs needs to be down (no phase1 or phase2).

 

You  are correct that both can triggers an alert event indicating issues with the tunnel, but tunnel monitor take a step further by verifying of the layer3 path over that tunnel is indeed working and provide a way to dynamically switch to redundant path (if you have such in your setup).

 

 

  • 484 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!