For a VPN tunnel, you can check connectivity to a destination
IP address across the tunnel. The network monitoring profile on
the firewall allows you to verify connectivity (using ICMP) to a
destination IP address or a next hop at a specified polling interval,
and to specify an action on failure to access the monitored IP address.
If the destination IP address is unreachable, you either configure the firewall to wait for the
tunnel to recover or configure an automatic failover to another tunnel. In either case,
the firewall generates a system log that alerts you to a tunnel failure and renegotiates
the IPSec keys to accelerate recovery.