This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2023-10-23 10:57 AM

S2S VPN history.

Hello, Mates.

Is there any way to see the "summary" of the status of a VPN?

My intention is to know if a S2S VPN that we have against a third party is down or rebooted maybe 12 hours ago.

I am looking for options in the SmartView Monitor, but I can't find an appropriate option.

Any ideas that can help me please?

Cheers. 🙂

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2023-10-23 11:02 AM

The only thing we log is when the tunnel "comes up" (key install).
The tunnel never really goes "down" unless the remote end stops responding (which should be logged).

In R82, I believe we plan to have some enhanced VPN monitoring features.

0 Kudos
Matlu
Advisor
‎2023-10-23 11:06 AM
In response to PhoneBoy

Uhm,

I have a S2S VPN, which 12 hours ago, lost connection between both sides of the VPN.

So, we want to "see" if in that time range, the VPN was logged as "down" in Check Point.

 

I have made some filters in the SmartConsole, "calling" only the VPN community under discussion, and filtering the "action" field with a "Key Install".

And this is the result I get.

Exactly what does the "Key Install" mean?

Is it the moment when Check Point "detects" that a VPN is being set up?

VPN2.pngVPN1.png

Is there any option that you think can help me?

Cheers. 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-24 06:18 AM
In response to Matlu

A VPN connection requires symmetric encryption keys to be generated every so often with the various IPsec timers determining how often this is done.
Likewise, the remote end might request termination and issue a "delete IKE SA request."
These are logged as "Key Install" events as they affect the encryption keys used.

If the remote VPN peer cannot be reached, you may see "peer not responding" messages in the logs.
However, this will only occur if there is active traffic on the VPN.

0 Kudos
Matlu
Advisor
‎2023-10-24 10:02 AM
In response to PhoneBoy

Hello,

This action ""delete IKE SA request.", does not necessarily mean that the VPN TUNEL, is "down" right?

I mean, the remote peer may send a message like "delete IKE SA request.", but for us, it may be something "transparent", and we could still see the tunnel "active", at that moment?

Or is this action necessarily going to lower the tunnel?

Greetings

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-25 10:24 AM
In response to Matlu

Correct, an IKE SA being deleted does not necessarily mean the tunnel is down.
In IKEv2, it's actually done as part of the rekeying process that should happen every few hours (so called Break Before Make).

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-10-24 08:00 AM

Old Legacy SV Monitor has Tunnels on GW > VPN History > Last Day > Active Tunnels Average that should show it.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Machine_Head
Collaborator
Collaborator
‎2023-10-24 08:40 AM

A monitoring tool could help.

For example pinging a host across the VPN.

 

Other option is with SNMP :

https://support.checkpoint.com/results/sk/sk63663

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top