topic Re: User Count in Firewall and Security Management

User Count

Maarten_Sjouw — Mon, 21 Jan 2019 07:10:31 GMT

I'm looking for a way to see how many unique IP's have been passing through the FW during a day. Is there anyone who can tell me how to get this, If I need to run a script that just mails me the total per day every day, that is fine with me, it is just that I do not have a clue how and where to start.

Running R80.10 ATM and no IA in use. We will soon be moving to R80.20 and IA will be enabled also, but this can take another 3-6 months.

Re: User Count

Danny — Mon, 21 Jan 2019 08:02:35 GMT

I would check if it's possible to get that info from cpstat or cpinfo. If that's not of help I would probably just do a logrotate at midnight, dump the content to text, delete everything except the IPs, sort, uniq, wc -l and email the returned number to my inbox.

Re: User Count

G_W_Albrecht — Mon, 21 Jan 2019 10:24:20 GMT

According to sk10200: 'too many internal hosts' error in /var/log/messages on Security Gateway, the Security Gateway listens for any IP-based traffic on all interfaces except for the one deemed "external", which is decided by the user and listed in $FWDIR/conf/external.if file. Anytime a host is "heard" talking on a non-external interface, Security Gateway logs this information in $FWDIR/database/fwd.h file and in $FWDIR/database/fwd.hosts file on the Security Gateway.

Re: User Count

Maarten_Sjouw — Mon, 21 Jan 2019 11:47:08 GMT

Sorry Günther W. Albrecht, I checked but it seems that in a unlimited license environment these files do not exist.

Thanks https://community.checkpoint.com/people/917b8439-9d5c-34f0-b86a-f0e1b0a14cbd we were able to use this and find the number, now I just need to make sure we collect all the correct information, to make sure that when a logfile crosses the 2GB limit, we collect all information of each day.

But we are on the right path.

Re: User Count

Danny — Mon, 21 Jan 2019 11:50:32 GMT

I'm glad I could be of help.

Re: User Count

Maarten_Sjouw — Mon, 21 Jan 2019 12:34:24 GMT

This is what we ended up doing:

cd $FWDIR/log
fwm logexport -np -i log/2019-01-17_000000.log -o 2019-01-17_000000.exp
cat 2019-01-16_000000.exp | grep accept | cut -d ';' -f20 | sort | uniq | grep '^10.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$' > ip-list

wc -l ip-list > count

Re: User Count

Danny — Mon, 21 Jan 2019 12:50:02 GMT

Thanks for posting the final solution.

Re: User Count

G_W_Albrecht — Mon, 21 Jan 2019 13:22:15 GMT

This seems appropriate as all these files are used for is User IP counting for checking the license limits. Unlimited licenses do not need that, of course, but you did not mention that in your initial post at all...

Re: User Count

Maarten_Sjouw — Mon, 21 Jan 2019 16:34:08 GMT

I thought that user based licenses were a thing of the past since the blade licenses? It's a long time ago that I have seen licenses with a user limit, where it also was enforced.

Re: User Count

JozkoMrkvicka — Mon, 21 Jan 2019 16:34:18 GMT

Valid under the assumption that all firewall rules are logged.

Re: User Count

G_W_Albrecht — Tue, 22 Jan 2019 08:48:11 GMT

No, we still have user based licenses (e.g. EPS clients) and seat based licenses (e.g. MAB, only the number of concurrent users is limited). Also see Remote Access Users license + count.

Re: User Count

Maarten_Sjouw — Wed, 23 Jan 2019 06:14:05 GMT

Polished it a bit and put it in a bash script with the added point that you can add the logfile name on the command line:

LF=$1
if [ "$LF" == "" ]; then
LF="fw.log"
fi
fwm logexport -np -i $LF | grep accept | cut -d ';' -f20 | sort | uniq | grep '^10.[0-9]\{1,3\}\.[0-9]\{1,3\}\.[0-9]\{1,3\}$' > IP-list
wc -l IP-list > count
echo
echo
echo "For logfile $LF the number of unique IPs is:"
cat count