IPSec VPN Monitoring
Focus
Focus
What's New in the NetSec Platform

IPSec VPN Monitoring

Table of Contents

IPSec VPN Monitoring

View the IPSec VPN tunnel status to know whether IKE phase-1 and phase-2 SAs have been established, and whether the tunnel interface is up and available for passing traffic.
Because an IPSec VPN tunnel is a logical interface, it cannot reflect the status of the underlying physical link. This limitation can cause a firewall to continue routing traffic to an unusable path, leading to silent traffic loss until the failure is manually detected.
To address this, PAN-OSĀ® now includes IPSec tunnel monitoring to actively verify connectivity to a target IP address through the tunnel. If the target becomes unreachable, the firewall marks the path as unusable and automatically initiates a failover. During failover, the existing tunnel is torn down, routing changes are triggered, and a new tunnel is established to redirect traffic. The feature provides status visibility for both the IKE gateway and individual IPSec tunnels, which allows the firewall to maintain high availability and reduce traffic loss.