VPN tunnel monitoring for non-Certified Checkpoint devices


Article ID: 15328


Updated On:


CA Spectrum


Currently, out of box VPN tunnel support is for Cisco devices supporting the CISCO-IPSEC-FLOW-MONITOR-MIB and CISCO-IPSEC-MIB 

However, for devices such as Checkpoint firewall, a SpectroWATCH can be created to monitor the VPN tunnel state of each tunnel, and alarm when the tunnel goes down. 

How can I configure VPN tunnel monitor for Checkpoint Firewalls? 




While Spectrum does not have Checkpoint Firewall VPN support out of box, if Checkpoint MIBS are imported into Spectrum, then a SpectroWATCH can be created to monitor the CHECKPOINT MIB attribute Tunnel State OID 

- tunnel state (3=active, 4=destroy, 129=idle, 130=phase1, 131=down, 132=init, see SK63663) 


1. Map tunnelState to an Attribute using MIB Tools


2. Create Watch on the attribute 


- tunnelState is a list attribute - contains a list of currently configured tunnels on the Checkpoint device 


**** Watch Expression **** 


1. Expression can be either tunnelState.# with instance set to "all" 

2. Or expression can be set to tunnelState. where '" is the instanceID of that tunnel as seen on Getnext query of tunnelState in MIB Tools 



**** Watch Properties ***** 


1. Recommend "evaluate by polling" and UNCHECK "make inheritable" 

2. Reason is Checkpoint devices in 10.1 are "gnSNMPDev" and setting a polling Watch on GnSNMPDev with "make inheritable" would force Spectrum to evalulate the watch on virtually almost all models in Spectrum - that would cause problems

3. So, only run the watch on GnSNMPDev devices - best bet 


**** Watch Threshold **** 


1. Recommend setting threshold == 131 - tunnel down 

2. Set Event to raise Alarm when tunnel is down

Additional Information

Please reference the "Manageing MIBs and Traps With MIB Tools" section of the documentation for more information.

Please reference the "Watches" section of the documentation for more information.