VPN Tunnel monitoring

Hello,

I am wondering how can I set up VPN Tunnel monitoring via CheckMk for Palo Alto PA820?
I have a 2.0.3p RAW version of checkmk and it does not see VPN tunnel as a service.

Best regards.
Nenad.

As far as I know, there is no specific “VPN tunnel monitoring” within checkmk for PAN firewalls.

However, since Palo uses the concept of route-based VPN tunnels which require a tunnel interface per VPN tunnel, you can simply monitor those tunnels. In my case, I have one single site-to-site VPN which looks like this:

grafik1177×232 27.8 KB

For sure, specific stats such as “3 out of 4 VPN tunnels are up” would be nicer. Even more details such as phase 1 (IKE) and phase 2 (IPsec) counters would be great and probably feasible since Palo has them in their GUI. But I have had a look at the PAN MIBs for PAN-OS 10.0 right now, and I can’t find any VPN MIBs. [Resource: Enterprise SNMP MIB Files] There are some MIBs for GlobalProtect, but not for site-to-site VPN tunnels.

I just was told that this is not sufficient.

Checkmk only shows the tunnel interfaces but not the associated peer tunnel IPs.

Any ideas ?

show vpn flow

total tunnels configured: 		            1 
filter - type IPSec, state any 
 
total IPSec tunnel configured:        1 
total IPSec tunnel shown:                1 
 
name                    id      state      local-ip       peer-ip       tunnel-i/f 
----------------------------------------------------------------------------------- 
vpn-to-siteB       5       active    100.1.1.1     200.1.1.1     tunnel.41 ype or paste code here

What exactly are you searching for? If you are monitoring the VPN tunnel interface with checkmk you can see the “up/down” state as well as traffic stats. To my mind, this is enough for a basic monitoring of a VPN tunnel. Do you have a use case for monitoring the peer IPs?

I am the monitoring guy, not the firewall expert, but I’ll try to explain.

These “objects” should be in active state but sometimes they are either in inactive or init state:

show vpn flow | match init
id    name                          state   monitor local-ip                      peer-ip                       tunnel-i/f  
--    ----                          -----   ------- --------                      -------                       ----------
137   s2stu_547:partner_to_10.55.12 init    off     xxx.xxx.xxx.xxx               yyy.yyy.yyy.yyy               tunnel.547

In Checkmk the tunnel.547 shows as UP, but one of it’s associated “peer-tunnels” is not active.

That is what we need to monitor.

I was told that this is related to ipsec, which has got a phase1 and phase2
and sometimes the one or the other fails.

(I x-ed out the ips)

What you want is something like this for Cisco (CheckMK / Cisco / IPSec VPN tunnel · GitLab)
also for the PaloAlto.

Thanks for the hint.
Unfortunately this is not for Palo Altos but for Cisco only.

Hint: The domain hopto.org where this is hosted is found on several blocklists,
i first had to whitelist thl-cmk.hopto.org to access this.

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.