Because an IPSec VPN tunnel is a logical interface, it cannot reflect the status of the underlying physical link. This limitation can cause a firewall to continue routing traffic to an unusable path, leading to silent traffic loss until the failure is manually detected.

To address this, PAN-OS® now includes IPSec tunnel monitoring to actively verify connectivity to a target IP address through the tunnel. If the target becomes unreachable, the firewall marks the path as unusable and automatically initiates a failover. During failover, the existing tunnel is torn down, routing changes are triggered, and a new tunnel is established to redirect traffic. The feature provides status visibility for both the IKE gateway and individual IPSec tunnels, which allows the firewall to maintain high availability and reduce traffic loss.