topic Re: Mobile Access Log In and Log Out in Firewall and Security Management

Mobile Access Log In and Log Out

lucafabbri365 — Thu, 14 May 2020 08:16:54 GMT

Hello Community,
I'm writing to ask for a question regarding Mobile Access login and logout events.

The main objective is to retrieve login and logout events for all VPN client users and the VPN client version. I understand the "logout" event could have multiple reasons: session timeout, manual disconnection (by end-user).

Environment Description

- Check Point R80.20 Take 80 (1 VM Security Managements and 2 physical cluster nodes - Open Server)
- LDAP authentication
- VPN client: Check Point Remote Access VPN client (Windows) - product: Check Point Mobile

- Log Generation: per Connection

I started to looking at login events in SmartConsole logs but I found a "strange" behavior for some users, sometimes.

Example 1

- Filter: blade:("Mobile access") AND action:"Log In" and User01
- Time range: yesterday (2020-05-14)

As you can notice by results, there is only one login event related to User01 matching the filter (I removed some parts for privacy - see the attached screenshot 01-User01 login events - SmartConsole Log.png):

Now the User01 connected to VPN in the afternoon (16:31) but also in the morning (!!!) at 08:35 (+/-), but there is no trace in the log. I tried to modify the filter including the Identity Awareness blade too:

- Filter: blade:("Mobile access" or "Identity Awareness") AND action:"Log In" and User01
- Time range: yesterday (2020-05-13)

This time I get more results (see the attached screenshot 02-User01 login events - SmartConsole Log.png):

The user authenticated at 08:36 in Active Directory (because connected to VPN).
If I change the time range for the same user (today - 2020-05-14) I found expected login entries for Mobile Access blade (see the attached screenshot 03-User01 login events - SmartConsole Log.png):

Question: WHY, sometimes, for some users, I have no trace for Mobile Access blade ?

Example 2

If I search for another user User02 (mine) it is working as expected: I notice three entries related to logins: one for blade Mobile Access and the other two for Identity Awareness (see the attached screenshot 04-User02 login events - SmartConsole Log.png):

- Filter: blade:("Mobile access" or "Identity Awareness") AND action:"Log In" and User02
- Time range: yesterday (2020-05-14)

Please, can you give me your opinion ?

Thank you,
Luca

Re: Mobile Access Log In and Log Out

Timothy_Hall — Thu, 14 May 2020 12:44:50 GMT

This sounds quite similar to:

https://community.checkpoint.com/t5/Logging-and-Reporting/Remote-vpn-login-logs-are-rewrite-after-authentication-timeout/m-p/85003#M4920

May want to post in that thread and see if the TAC has gotten involved.

Re: Mobile Access Log In and Log Out

lucafabbri365 — Thu, 14 May 2020 16:55:07 GMT

Hello Timothy,
thank you for your answer.
Yes, it seems to be similar to the other post; I'll write there.

At meanwhile I opened a support ticket.

I just checked the login events (blade:"Mobile Access") for UserA this morning (2020-05-14) and I found an entry at 08:35 (+/-) and re-checked it in the afternoon: it disappeared; maybe overwritten by a new entry at 4:36pm (WHY ?!?).

UserB (mine), for example, is not affected by this behavior; I found two entries, one at 09:09 and the other at 5.45pm and they correspond to login I made through Check Point VPN client.

Bye,
Luca

Re: Mobile Access Log In and Log Out

PhoneBoy — Fri, 15 May 2020 21:21:33 GMT

Pretty sure this is log consolidation taking place.
TAC should be able to confirm if this is expected behavior or not.

Re: Mobile Access Log In and Log Out

lucafabbri365 — Fri, 15 May 2020 22:19:15 GMT

Hello @PhoneBoy,

if that's the case, it would be nice to understand why it doesn't happen for ALL (look at my post: UserA affected, UserB not affected).

Let's wait the support and I'll give write feedback here.

Thank you,
Luca