Currently, out of box VPN tunnel support is for Cisco devices supporting the CISCO-IPSEC-FLOW-MONITOR-MIB and CISCO-IPSEC-MIB 

However, for devices such as Checkpoint firewall, a SpectroWATCH can be created to monitor the VPN tunnel state of each tunnel, and alarm when the tunnel goes down. 

How can VPN tunnel state be monitored for Checkpoint Firewalls? 

DX NetOps Spectrum all currently supported releases

While Spectrum does not have Checkpoint Firewall VPN support out of box, if Checkpoint MIBS are imported into Spectrum, then a SpectroWATCH can be created to monitor the CHECKPOINT MIB attribute Tunnel State OID 1.3.6.1.4.1.2620.500.9002.1.3 

- tunnel state (3=active, 4=destroy, 129=idle, 130=phase1, 131=down, 132=init, see SK63663) 

1. Map tunnelState to an Attribute using MIB Tools

2. Create Watch on the attribute 

- tunnelState is a list attribute - contains a list of currently configured tunnels on the Checkpoint device  

**** Watch Expression **** 

1. Expression can be either tunnelState.# with instance set to "all"
   
   
2. Or expression can be set to tunnelState.192.168.0.9.0 where "192.168.0.9.0" is the instanceID of that tunnel as seen on Getnext query of tunnelState in MIB Tools. For example:
   
   
   
   
   
   

3. **** Watch Properties *****

   
   Recommend "evaluate by polling" and UNCHECK "make inheritable"
   
   
4. Reason is Checkpoint devices in 10.1 are "GnSNMPDev" and setting a polling Watch on GnSNMPDev with "make inheritable" would force Spectrum to evaluate the watch on virtually almost all models in Spectrum - which could cause performance problems
   
   So, only run the watch on GnSNMPDev devices to ensure optimal performance
   
   

5. **** Watch Threshold ****

   
   Recommend setting threshold == 131 - tunnel down
   
   
6. Set Event to raise Alarm when tunnel is down