Because an IPSec VPN tunnel is a logical interface, it cannot reflect the
status of the underlying physical link. This limitation can cause a firewall to
continue routing traffic to an unusable path, leading to silent traffic loss until
the failure is manually detected.
To address this, PAN-OSĀ® now includes
IPSec tunnel monitoring to actively verify
connectivity to a target IP address through the tunnel. If the target becomes
unreachable, the firewall marks the path as unusable and automatically initiates a
failover. During failover, the existing tunnel is torn down, routing changes are
triggered, and a new tunnel is established to redirect traffic. The feature provides
status visibility for both the IKE gateway and individual IPSec tunnels, which
allows the firewall to maintain high availability and reduce traffic loss.