cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

R80 and R80.10 SmartView Monitor VPN List

Jump to solution

R80 and R80.10 SmartView Monitor VPN List

Since I upgraded to firewall from R77.10 ti R80.10, in the SmartView Monitor I don't see the list of IPSEC tunnel zs I have it in the R.77.30. I just see tabular information about tunnels for the selected Gateway but I don't found the lists of he VPN managed by the gateway (I just see the number of VPN)

Any idea how I can see the list of VPN ?

Thanks for your help.

BRgds

1 Solution

Accepted Solutions
Danny
Jade

Re: R80 and R80.10 SmartView Monitor VPN List

Jump to solution

You screen shot doesn't show the list of VPN tunnels that you are referring to. In order to make that list available you'll need a dedicated SmartView Monitor Software Blade license.

With that Software Blade you'll see all VPN tunnels:

In R80.x you'll get VPN statistics as shown in the screen shot below:

As you'll note the detailed list of VPN tunnels as seen in my first screen shot is missing. That's why the native SmartView Monitor GUI client is still supported. Default installation location: C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\SmartViewMonitor.exe

Also see: How to open SmartView Monitor within R80.x

With the SmartView Monitor Software Blade correctly attached to your SmartCenter Server you'll see the full list of VPN tunnels.

5 Replies
Danny
Jade

Re: R80 and R80.10 SmartView Monitor VPN List

Jump to solution

You screen shot doesn't show the list of VPN tunnels that you are referring to. In order to make that list available you'll need a dedicated SmartView Monitor Software Blade license.

With that Software Blade you'll see all VPN tunnels:

In R80.x you'll get VPN statistics as shown in the screen shot below:

As you'll note the detailed list of VPN tunnels as seen in my first screen shot is missing. That's why the native SmartView Monitor GUI client is still supported. Default installation location: C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\SmartViewMonitor.exe

Also see: How to open SmartView Monitor within R80.x

With the SmartView Monitor Software Blade correctly attached to your SmartCenter Server you'll see the full list of VPN tunnels.

Sajid_Abbas
Nickel

Re: R80 and R80.10 SmartView Monitor VPN List

Jump to solution

Hi,

I have several IPSec VPNs with AWS. They frequently go down and need to bring them up manually. Is there a way to setup alert or check history of when tunnel went down or came up, sort of logs. 

Need some reporting method for when tunnels go down or come up. 

0 Kudos

Re: R80 and R80.10 SmartView Monitor VPN List

Jump to solution

If AWS does not see any VPN traffic from a peer for 10 seconds, it will launch a Dead Peer Detection (DPD) query.  If no response is received, the tunnel is brought down by AWS.  You need to configure "Permanent Tunnel based on DPD mode" as specified in Scenario 5 of sk108600: VPN Site-to-Site with 3rd party.  Once you do that, you can specify the sending of alerts if the tunnel falls down and can't get back up here:

Also check out this article which may help:

Troubleshoot VPN Tunnel Inactivity or Instability Issues 

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: R80 and R80.10 SmartView Monitor VPN List

Jump to solution

Hello Timothy,

I have a question regarding DPD.

Does changing tunnel_keepalive_method value from default to dpd cause any issues with any current live VPNs?

And how these VPN check for dead connections.

Regards,

Jev

0 Kudos

Re: R80 and R80.10 SmartView Monitor VPN List

Jump to solution

Changing the tunnel_keepalive_method value for a gateway causes it to use DPD instead of Check Point's proprietary tunnel_test protocol in all VPN Communities set for Permanent Tunnels that the gateway is a member of.  By default whenever policy is installed to a gateway, it will clear all IKE Phase 1 tunnels which will have an immediate impact to existing VPNs upon policy installation unless the checkbox keep_IKE_SAs is checked under Global Properties...Advanced...Configure. You'll definitely want to familiarize yourself with these SKs:

sk108600: VPN Site-to-Site with 3rd party

sk97746: New VPN features in R77.10

DPD is an industry standard extension to IKEv1 and you can read about how it works here:  https://www.ietf.org/rfc/rfc3706.txt .  DPD is ingrained by design in IKEv2.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com