Hi,
Is it possible to monitor the VPN tunnels on a PAN firewall? I simply need to know if a tunnel is up or down. Currently I am monitoring the devices via SNMP but it’s only showing the connected interfaces and not the external interfaces. I have searched around but can’t find much even on the check exchange.
Thanks in advance.
May try rule “Network interface and switch port discovery” and enable all Interface Types and re-discover the device. If the tunnel is an interface in the standard MIB it should appear as a normal interface. At least on Checkpoint thats the case.
@mike1098 do you know the interface type and the Check Point version where the VPN tunnels are avalable as interfacees?
Thanks,
Thomas
You can monitor PAN VPN / IPSec Tunnels by an Interface. PA Creates for all IPSec a own Tunnel Interface. And when connection is down, the interface is down too.
So make it like @mike1098 told. Service check command check_mk-if64
There are some nice other PAN Checks. Have a view on
integrations/globalprotect_utilization
integrations/palo_alto_users
Hi Max,
I got the tunnels into checkMK however it isn’t performing as i expected, if we down a tunnel from the fw itself the interface doesn’t go down so it doesn’t trigger an alert is that because there isn’t a ip assigned to either end of the interface?
I am also getting flooded with alerts for multiple interfaces simliar to the below
Service: Interface 6
State: CRITICAL → WARNING (PROBLEM)
Command: check_mk-if64
Output: [ethernet1/1], (up), MAC: 00:1B:17:00:02:10, Speed: 1 GBit/s, In: 14.0 MB/s (11.16%), Out: 4.00 MB/s (3.20%), Errors in: 0.263% (warn/crit at 0.01%/0.5%)(!)
Perfdata: outqlen=0;;;; in=13954443.089921;;;0;125000000 out=4004080.161107;;;0;125000000 inerr=34.994227;1.333044;66.652219;; inmcast=0.545751;;;; inbcast=0.405179;;;; inucast=13294.498704;;;; innucast=0.95093;;;; indisc=0;;;; outerr=0;224.412249;380.233379;; outmcast=0;;;; outbcast=0.033076;;;; outucast=7455.523385;;;; outnucast=0.033076;;;; outdisc=0;;;; [ethernet1/1]\nOperational state: up\nMAC: 00:1B:17:00:02:10\nSpeed: 1 GBit/s\nIn: 14.0 MB/s (11.16%)\nOut: 4.00 MB/s (3.20%)\nErrors in: 0.263% (warn/crit at 0.01%/0.5%)(!)\nMulticast in: 0.55 packets/s\nBroadcast in: 0.41 packets/s\nUnicast in: 13294.5 packets/s\nNon-unicast in: 0.95 packets/s\nDiscards in: 0 packets/s\nErrors out: 0%\nMulticast out: 0 packets/s\nBroadcast out: 0.03 packets/s\nUnicast out: 7455.52 packets/s\nNon-unicast out: 0.03 packets/s\nDiscards out: 0 packets/s
I am not sure what rule i need to amend to prevent these constantly alerting every few minutes. any ideas? I don’t even want to receive notifications for warnings just critical and all other services and hosts are set up that way but the rules appear not to have that functionality. Sorry really new to checkMK and im no network guru either!
Hi Newtocheck,
I think the Problem is at the Firewall. What PANOS Version do you use? When IPSec is down is the Tunnel Interface down too? Because that status is monitored by CheckMK. When the Interface is status not down then checkMK can`t see anything.
At PAN Firewall you see it by Network → IPSec Tunnel → row status.
When IPSec Tunnel is down the status is down. When tunnel is hanging then you must look by you tunnel monitring at PAN. There you need to configure tunnel monitoring at PAN.
In Service Monitoring rules use Network interfaces and switch ports and in addition you may use Maximum number of check attempts for service.
I personally dont like errors on network interfaces and tend to fix it.
You can control this in your notification rule.
regards
Michael
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.
