This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
Legend
Legend
‎2024-02-07 05:37 AM
Jump to solution

Monitoring VPN tunnels

Hey guys,

I know there were few posts about this before, but here is what Im looking for. I know many methods you can check the status of the tunnel itself, with tcpdump on proto 50, vpn tu options, sv monitor etc, but those are all manual methods. What Im after is automatic method that would alert a customer if there is an issue with the tunnel.

I get the options inside the community under tunnel management you can set to tunnel down and up for different actions, but I wonder if there is anything more intuitive (for the lack of better term) that can be set up.

Thanks as always for any suggestions.

Best,

Andy

0 Kudos
2 Solutions

Accepted Solutions
the_rock
Legend
Legend
‎2024-02-12 04:40 PM
Jump to solution

Hey guys,

Just to give a quick update on this. Talked to Tier 3 guy in DTAC and what I was informed is quite disappointing, to put it bluntly. So, he told me that when it comes to VPN monitoring, supposedly, it ONLY works if its CP to CP tunnel, so say if you have cp to 3rd party, which probably 99% of customers would have, you cant even configure pop-up alert to work and here comes really odd part for me. Say even if you have cp cluster to another single gateway VPN tunnel, its not enough to even reset the tunnel via vpn tu tlist del or vpn tu command, but you would need to do cpstop on BOTH cluster members. 

O well, as disappointing as this is, if thats how it is, we just have to accept it. I still, personally, find it bit hard to believe that even pop-up alert is only possible if its strictly CP vpn tunnel.

Anyway, figured would share the info I was given. At least searching for log filter by "Key Install" would give log when tunnel may have went down, so its better than nothing. I sure hope VPN monitoring is totally revamped in R82...

Best,

Andy

View solution in original post

0 Kudos
Blason_R
Leader
Leader
‎2024-02-12 07:23 PM
In response to the_rock
Jump to solution

Here are the sk sk63663 you can simply use any NMS or I am using open source like check_mk and it perfectly

t.png

shows the tunnel status and if any issue occurs

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

View solution in original post

(1)
36 Replies
Tal_Paz-Fridman
Employee
Employee
‎2024-02-07 06:20 AM
Jump to solution

Hi Andy

I think I mentioned it before, in R82 we have a completely new VPN Monitoring Tool:

 

  • Introducing the Advanced VPN Monitoring tool that shows information on each VPN Tunnel and tracks its health and performance.

 

Perhaps @itamarav can ass additional details.

the_rock
Legend
Legend
‎2024-02-07 06:42 AM
In response to Tal_Paz-Fridman
Jump to solution

Thanks @Tal_Paz-Fridman , but in the meantime, since who knows how long it might be before most clients are on R82, does anything similar exist in R81.20?

Best,

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-02-07 11:53 PM
In response to Tal_Paz-Fridman
Jump to solution

Within R82, will it be possible to send SNMP traps to more than 1 trap server in case VPN state is changed?

Kind regards,
Jozko Mrkvicka
0 Kudos
CaseyB
Advisor
‎2024-02-07 07:10 AM
Jump to solution

I don't know of any ways to alert automatically from the firewall. We use an external monitoring server to monitor endpoints on the other end of the VPN and get our automatic notifications (e-mail / sms) that way. 

0 Kudos
the_rock
Legend
Legend
‎2024-02-07 07:38 PM
In response to CaseyB
Jump to solution

I will do some testing in the lab tomorrow to see if I can make it work with pop up alert when tunnel is reset.

Andy

0 Kudos
Lesley
Leader Leader
Leader
‎2024-02-07 10:18 AM
Jump to solution

Hi Andy,

Let me answer your question with a question. When should Check Point consider a VPN tunnel problematic? 

Some tunnels are used more then others. There are tunnels that are maybe used once a day. If no traffic flows via the tunnel the tunnel goes down.

I think the best would be , for now using a monitoring tool and ping something via the tunnel on the other side. In this way you know that the tunnel is up and there is no issue. Until they restart something at the other end of course 🙂 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
(2)
the_rock
Legend
Legend
‎2024-02-07 07:40 PM
In response to Lesley
Jump to solution

Let me answer your question. When should CP consider tunnel problematic? I would say when it goes down 🙂

See, what we are trying to accomplish is to get some sort of pop up alert or a log when tunnel is down. 

Best,

Andy

 

0 Kudos
Nüüül
Advisor
‎2024-02-07 09:48 PM
In response to the_rock
Jump to solution

Good morning,

I´d expect something like "active tunnel". so Tunnel UP is one thing. Checking if there is traffic (i.e. Keepalives - so even when tunnel is not in use actively) is a better bet. So - something like

  • "tunnel up and traffic flowing = tunnel good"
  • "tunnel up and no traffic (uni/bidirectional?) = tunnel problematic"
  • "tunnel up and traffic = tunnel fine"

Personally, I´d stick to an external monitoring, using either snmp or by checking if resources on "the other side" are available.

(might be an idea to extend GAiA API to see local tunnel sessions (Site to Site and/or Client to Site) and if there are sessions and if there is activity on tunnel? )

0 Kudos
the_rock
Legend
Legend
‎2024-02-08 04:16 AM
In response to Nüüül
Jump to solution

That makes sense @Nüüül , thank you.

Best,

Andy

0 Kudos
Henrik_Noerr1
Advisor
‎2024-02-08 01:57 AM
In response to Lesley
Jump to solution

This is the way 🙂 Don't trust the firewall to give you the state. Use tests on the actual services on the other end.

(1)
the_rock
Legend
Legend
‎2024-02-08 04:16 AM
In response to Henrik_Noerr1
Jump to solution

I agree 🙂

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-02-07 11:52 PM
Jump to solution

In case you are using permanent tunnels (suggesting to do so), within VPN community, set the tracking to desired option. If you choose any of available Alerts, then go to the Global Properties on Domain where VPN is configured, go to the Log and Alert -> Alerts and add proper alert scripts.

In case you are using regular tunnels (suggesting to switch to Permanent), then go to the Global Properties -> Log and Alert -> select desired option for "VPN configuration & key exchange errors". If you choose any of available Alerts, then go to the Global Properties on Domain where VPN is configured, go to the Log and Alert -> Alerts and add proper alert scripts.

Another option is to create script using VPN SNMP OID (for example .1.3.6.1.4.1.2620.500.9002.1.3) 

Some other ideas for scripting:

- output from "vpn tu" 

- monitor VPN logs (traffic and/or .elg files)

Kind regards,
Jozko Mrkvicka
the_rock
Legend
Legend
‎2024-02-08 04:18 AM
In response to JozkoMrkvicka
Jump to solution

Thanks @JozkoMrkvicka . I actually let TAC guy know what I had tried in the lab...so, say if I change tunnel monitoring option to log inside vpn community, then I do see the log with blade:"VPN" filter indicating key exchange, which matches with when I do tunnel reset, perfect. Now...IF I set the option to pop up alert and set rule that way, it does NOT work. I have a feeling Im missing something in global properties, but not sure which option. 

Thoughts?

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-08 04:51 AM
In response to JozkoMrkvicka
Jump to solution

I am pretty sure this is it, but since support site is down atm, cant look up the sk for it. If anyone has any idea what this should be, happy to try 🙂

Andy

 

Screenshot_1.png

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-02-09 01:53 AM
In response to the_rock
Jump to solution

I never tried that "pop up" option. To be honest, I am not sure what is the goal of that one...

I used snmp trap alert script and mail alert script, which are working perfectly fine.

There is only 1 issue with snmp or mail script - you can specify only 1 IP (only 1 SNMP trap reciever / only 1 smtp mail relay IP).

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
Legend
Legend
‎2024-02-09 04:12 AM
In response to JozkoMrkvicka
Jump to solution

@JozkoMrkvicka If you would be kind enough mate to provide the steps to make it work with snmp script, I would be very grateful, while I wait for TAC response.

Best,

Andy

0 Kudos
JozkoMrkvicka
Authority
Authority
‎2024-02-11 03:39 AM
In response to the_rock
Jump to solution

Very important note is that the SNMP traps are NOT sent from the gateway.

SNMP trap alerts are sent from management Main IP (Leading Interface IP) or Logserver Main IP.

Steps:

  1. Connect with SmartDashboard to Security Management Server / Provider-1 CMA / Domain Management Server.

  2. Go to the Policy menu - click on the Global Properties...

  3. Expand the Log and Alerts - click on the Alerts pane.

  4. In the Run SNMP trap alert script field, enter/paste the following:

    internal_snmp_trap -c YOUR_SNMP_COMMUNITY IP_ADDRESS_OF_YOUR_SNMP_TRAP_SINK

    Note: By default, YOUR_SNMP_COMMUNITY=public.

For example:

internal_snmp_trap -c public 1.1.1.1

"public" is snmp community string

1.1.1.1 is snmp trap reciever IP.

Kind regards,
Jozko Mrkvicka
0 Kudos
the_rock
Legend
Legend
‎2024-02-11 05:17 AM
In response to JozkoMrkvicka
Jump to solution

Thank you. Let me see if TAC guy can make it work with pop up alert, that would probably be best option in this case.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-12 06:18 AM
In response to JozkoMrkvicka
Jump to solution

Just to update quick...TAC came back saying they got it working with pop up alert, so I will update once I do remote sessionto see if we can get it working in my lab as well.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-12 04:40 PM
Jump to solution

Hey guys,

Just to give a quick update on this. Talked to Tier 3 guy in DTAC and what I was informed is quite disappointing, to put it bluntly. So, he told me that when it comes to VPN monitoring, supposedly, it ONLY works if its CP to CP tunnel, so say if you have cp to 3rd party, which probably 99% of customers would have, you cant even configure pop-up alert to work and here comes really odd part for me. Say even if you have cp cluster to another single gateway VPN tunnel, its not enough to even reset the tunnel via vpn tu tlist del or vpn tu command, but you would need to do cpstop on BOTH cluster members. 

O well, as disappointing as this is, if thats how it is, we just have to accept it. I still, personally, find it bit hard to believe that even pop-up alert is only possible if its strictly CP vpn tunnel.

Anyway, figured would share the info I was given. At least searching for log filter by "Key Install" would give log when tunnel may have went down, so its better than nothing. I sure hope VPN monitoring is totally revamped in R82...

Best,

Andy

0 Kudos
Blason_R
Leader
Leader
‎2024-02-12 07:06 PM
In response to the_rock
Jump to solution

nah - Did you try monitoring through SNMP? I am monitoring my tunnels through SNMP and with particular OIDs it does given you status about P1 or P2 failures

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2024-02-12 07:12 PM
In response to Blason_R
Jump to solution

Not yet, but though I did mention it to TAC, it was not tested. I will try in the lab what @JozkoMrkvicka provided, unless you have something more simple, happy to try 🙂

Best,

Andy

0 Kudos
Blason_R
Leader
Leader
‎2024-02-12 07:23 PM
In response to the_rock
Jump to solution

Here are the sk sk63663 you can simply use any NMS or I am using open source like check_mk and it perfectly

t.png

shows the tunnel status and if any issue occurs

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
(1)
Blason_R
Leader
Leader
‎2024-02-12 07:31 PM
In response to Blason_R
Jump to solution

Forgot to mention - Let me know if any help is required setting check_mk and I am happy to help.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
the_rock
Legend
Legend
‎2024-02-12 07:41 PM
In response to Blason_R
Jump to solution

Thanks brother.

Best,

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-02-12 07:37 PM
In response to Blason_R
Jump to solution

Thanks! So are you saying you can put that snmp oid into the tool check_mk and it shows the status? If so, thats super easy, will try it Tuesday.

Best,

Andy

0 Kudos
Blason_R
Leader
Leader
‎2024-02-12 07:38 PM
In response to the_rock
Jump to solution

Well you don't even need to add those OIDs or any other OIDs

  • Just Install check_mk
  • enable SNMP on firewalls
  • Add host in check_mk and it automatically detect the Tunnels since it has those scripts enabled.

 

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
the_rock
Legend
Legend
‎2024-02-12 07:42 PM
In response to Blason_R
Jump to solution

Do you need to add both cp and peer external IP or just peer?

0 Kudos
Blason_R
Leader
Leader
‎2024-02-12 07:45 PM
In response to the_rock
Jump to solution

Just your CP

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events