We have two PA firewalls in an active->passive setup. Both firewalls have the same VPN connections with other organizations, but they are only being used on the Active firewall. The problem is, when I enabled the "Site-to-Site VPN Tunnel Down" alert, I would receive two alerts every time a tunnel reset or went down. One from the active FW and one from the passive FW. I'm trying to adjust the alert to only alert on tunnels going down if the are on the active FW, but I'm having a lot of problems. There is no field defining which FW is active, so I'm having to use a SWQL query, of which I know very little. Below is what I have and I think all I need, but I don't know how to put them together into a single query.
***This is the SWQL language for the default alert trigger indicating the status of a tunnel has changed.
SUBSCRIBE CHANGES TO Cortex.Orion.NetMan.Firewalls.SiteToSiteTunnel
INCLUDE [Uri] AS [Uri], [DisplayName] AS [DisplayName], [Status] AS [Status], PREVIOUS([Status]) AS [PREVIOUS(Status)]
WHEN ( ( ( [Status] CHANGED ) AND ( ( [Status] = 2 ) ) ) )
***This is the SWQL language for identifying which FW is active.
SELECT CustomPollerAssignmentOnNode.Uri, CustomPollerAssignmentOnNode.DisplayName FROM Orion.NPM.CustomPollerAssignmentOnNode AS CustomPollerAssignmentOnNode
WHERE ( ( CustomPollerAssignmentOnNode.[CustomPoller].[OID] = '1.3.6.1.4.1.25461.2.1.2.1.11' ) AND ( CustomPollerAssignmentOnNode.[CustomPollerStatusScalar].[Status] = 'active' ) )
Can anyone help me with this? Again, I only want to be alerted when a tunnel goes down if it is on the active firewall and I don't want to hardcode the node name into the query in case the FWs switch roles.
