Palo Alto Networks Knowledgebase: How to get notifications about IPSec tunnel status

How to get notifications about IPSec tunnel status

5664
Created On 02/08/19 00:05 AM - Last Updated 02/08/19 00:05 AM
Device Management Initial Configuration Installation QoS Zone and DoS Protection
Resolution

Issue

The Palo Alto Networks firewall currently doesn't have SNMP OIDs to monitor IPSec tunnel status, so network management systems cannot rely on SNMP protocol to receive notifications when the IPSec tunnel on the Palo Alto Networks firewall changes it's status.  

 

 

Workaround

Perform the following workaround on the Palo Alto Networks firewall:

  1. Configure and enable IPSec Tunnel Monitor feature for the desired IPSec tunnel.(https://live.paloaltonetworks.com/docs/DOC-1323)
  2. Configure the Syslog server profile to send syslog messages to the desired Syslog server.(https://live.paloaltonetworks.com/docs/DOC-3837)
  3. Go to Device > Log Setting > System to send logs to previously created Syslog server.

 

When the tunnel monitor fails the firewall generates the following message in the system log:

 

Time Severity Subtype Object EventID ID Description
===============================================================================
2015/03/15 13:24:34 low vpn <object name> tunnel- 0 Tunnel <tunnel name> is down

 

The Syslog server receives a "tunnel down" message. After the IPSec tunnel is brought up, the tunnel interface also goes up and a new message "tunnel is UP" is generated in the system logs. Then, a newly generated log is sent to the Syslog server.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgECAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language