How to get notifications about IPSec tunnel status

How to get notifications about IPSec tunnel status

Created On 09/25/18 19:52 PM - Last Modified 04/20/20 23:38 PM



The Palo Alto Networks firewall currently doesn't have SNMP OIDs to monitor IPSec tunnel status, so network management systems cannot rely on SNMP protocol to receive notifications when the IPSec tunnel on the Palo Alto Networks firewall changes it's status.  




Perform the following workaround on the Palo Alto Networks firewall:

  1. Configure and enable IPSec Tunnel Monitor feature for the desired IPSec tunnel.(
  2. Configure the Syslog server profile to send syslog messages to the desired Syslog server.(
  3. Go to Device > Log Setting > System to send logs to previously created Syslog server.


When the tunnel monitor fails the firewall generates the following message in the system log:


Time Severity Subtype Object EventID ID Description
2015/03/15 13:24:34 low vpn <object name> tunnel- 0 Tunnel <tunnel name> is down


The Syslog server receives a "tunnel down" message. After the IPSec tunnel is brought up, the tunnel interface also goes up and a new message "tunnel is UP" is generated in the system logs. Then, a newly generated log is sent to the Syslog server.

  • Print
  • Copy Link

Choose Language