- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix! 
All Videos In One Space
Problem is the SA lifetimes dictate how long a tunnel is allowed to be up before being torn down to change keys, so just looking at key exchange messages does not mean an outage actually occurred. In addition most VPNs are brought up on demand when interesting traffic needs to use them, and if there is no traffic the tunnel can time out and appear "down" until some more interesting traffic arrives.
Only way I can think of to do this is via Permanent Tunnels which by default only work between Check Point gateways, but can be made to work with other vendor's firewalls by setting Dead Peer Detection (DPD) mode. Assuming you set both "tunnel up" and "tunnel down" alerts you could measure the time between tunnel down and tunnel up alerts to determine total outage time, although it can take between 20-30 seconds to detect that a tunnel has fallen down and cannot get back up. The default lifesign interval is 10 seconds with 3 failures causing a "tunnel down" condition, but these timers could be shortened I suppose. Here is the coverage for Permanent Tunnels from my book:
