topic S2S VPN history. in Firewall and Security Management

S2S VPN history.

Matlu — Mon, 23 Oct 2023 17:57:25 GMT

Hello, Mates.

Is there any way to see the "summary" of the status of a VPN?

My intention is to know if a S2S VPN that we have against a third party is down or rebooted maybe 12 hours ago.

I am looking for options in the SmartView Monitor, but I can't find an appropriate option.

Any ideas that can help me please?

Cheers. 🙂

Re: S2S VPN history.

PhoneBoy — Mon, 23 Oct 2023 18:02:25 GMT

The only thing we log is when the tunnel "comes up" (key install).
The tunnel never really goes "down" unless the remote end stops responding (which should be logged).

In R82, I believe we plan to have some enhanced VPN monitoring features.

Re: S2S VPN history.

Matlu — Mon, 23 Oct 2023 21:29:07 GMT

Uhm,

I have a S2S VPN, which 12 hours ago, lost connection between both sides of the VPN.

So, we want to "see" if in that time range, the VPN was logged as "down" in Check Point.

I have made some filters in the SmartConsole, "calling" only the VPN community under discussion, and filtering the "action" field with a "Key Install".

And this is the result I get.

Exactly what does the "Key Install" mean?

Is it the moment when Check Point "detects" that a VPN is being set up?

Is there any option that you think can help me?

Cheers. 🙂

Re: S2S VPN history.

PhoneBoy — Tue, 24 Oct 2023 13:18:04 GMT

A VPN connection requires symmetric encryption keys to be generated every so often with the various IPsec timers determining how often this is done.
Likewise, the remote end might request termination and issue a "delete IKE SA request."
These are logged as "Key Install" events as they affect the encryption keys used.

If the remote VPN peer cannot be reached, you may see "peer not responding" messages in the logs.
However, this will only occur if there is active traffic on the VPN.

Re: S2S VPN history.

G_W_Albrecht — Tue, 24 Oct 2023 15:00:09 GMT

Old Legacy SV Monitor has Tunnels on GW > VPN History > Last Day > Active Tunnels Average that should show it.

Re: S2S VPN history.

Machine_Head — Tue, 24 Oct 2023 15:40:57 GMT

A monitoring tool could help.

For example pinging a host across the VPN.

Other option is with SNMP :

https://support.checkpoint.com/results/sk/sk63663

Re: S2S VPN history.

Matlu — Tue, 24 Oct 2023 17:02:57 GMT

Hello,

This action ""delete IKE SA request.", does not necessarily mean that the VPN TUNEL, is "down" right?

I mean, the remote peer may send a message like "delete IKE SA request.", but for us, it may be something "transparent", and we could still see the tunnel "active", at that moment?

Or is this action necessarily going to lower the tunnel?

Greetings

Re: S2S VPN history.

PhoneBoy — Wed, 25 Oct 2023 17:24:59 GMT

Correct, an IKE SA being deleted does not necessarily mean the tunnel is down.
In IKEv2, it's actually done as part of the rekeying process that should happen every few hours (so called Break Before Make).