IPSec Tunnel Monitoring on Palo Alto Firewalls

Overview

IPSec tunnel monitoring on Palo Alto Networks firewalls ensures the reliability of VPN connections by actively verifying the tunnel's health. This feature uses ICMP probes to detect connectivity issues and can automate failover processes when necessary.

By configuring tunnel monitoring, administrators can detect and respond to tunnel failures promptly, maintaining network resilience and uptime.

1. Assign an IP Address to the Tunnel Interface

• Navigate to Network > Interfaces > Tunnel and select the appropriate tunnel interface (e.g., tunnel.1).
• Assign an IP address to the tunnel interface. This IP will serve as the source for monitoring probes.
• Use a /30 or /31 subnet for point-to-point links. For example, assign 169.254.1.1/30 to one end and 169.254.1.2/30 to the other.

Note: Ensure that the assigned IP addresses are unique and do not overlap with other subnets in your network.

2. Create a Tunnel Monitoring Profile

• Go to Network > Network Profiles > Monitor and click Add.
• Enter a Name for the profile.
• Set the Action to take if the tunnel becomes unreachable:
  • Wait Recover: The firewall waits for the tunnel to recover without taking additional action.
  • Fail Over: The firewall disables the tunnel interface, allowing traffic to reroute through alternative paths if available.
• Specify the Interval (in seconds) between probes and the Threshold (number of missed probes) before the specified action is taken. Default values are 3 seconds for the interval and 5 for the threshold.

Reference: For detailed guidance, refer to Palo Alto Networks' documentation on Defining a Tunnel Monitoring Profile.

3. Apply the Monitoring Profile to the IPSec Tunnel

• Navigate to Network > IPSec Tunnels and select the desired tunnel.
• In the General tab, check Enable Tunnel Monitor.
• Enter the Destination IP to be monitored. This is typically the IP address assigned to the remote tunnel interface.
• Select the Monitor Profile created earlier.

Note: Ensure that the destination IP used for monitoring responds to ICMP requests.

4. Considerations

• When using the Fail Over action, verify that alternative routes are properly configured to handle traffic in case of tunnel failure.
• Monitor logs and alerts to stay informed about tunnel status changes.
• For enhanced monitoring, consider integrating with external monitoring tools that support SNMP or API-based queries.

5. Additional Resources

• Monitor Your IPSec VPN Tunnel
• Define a Tunnel Monitoring Profile
• View the Tunnel Status