This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Marko_Keca
Contributor
‎2021-08-18 03:56 AM

Disable inactive local users via API?

Hello all,

Is it possible to disable inactive local users via API?

We have request from our customer to automate process for checking local users and disable them if they are not used for VPN access more than 30 days?

Users are locally created and authenticated over RADIUS (OTP).

Thanks in advance!

 

Regards,
--
Marko

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2021-08-18 06:55 AM

Unfortunately last login is not something that is tracked in the user record on our end.
I suppose you can look for logins in the logs by querying the logs for that user and seeing if they logged in at all in the last 30 days.
Or query the RADIUS server logs for this information.
Then use the API to delete the relevant user via the API.

0 Kudos
_Val_
Admin
Admin
‎2021-08-18 08:21 AM

You need to go over several steps here:

  1. query all defined users and save to the list
  2. run the list over VPN logs to see which where not logged in during the last month. To do that, you will need to keep at least 31 days of logs available. make a list of candidates to remove
  3. run delete user over the list from step 2

 

0 Kudos
Marko_Keca
Contributor
‎2021-08-20 03:55 AM
In response to _Val_

Hello Val, PhoneBoy,

Thanks for quick reply and suggestions!
We'll try to do it on RADIUS or SIEM.

I'm also thinking about creating LogExporter configuration to send only login events to separate syslog server to decrease amount of logs we need to parse. We can then parse the logs and get list of users for required period.

 

Regards,
--
Marko

0 Kudos
_Val_
Admin
Admin
‎2021-08-20 04:00 AM
In response to Marko_Keca

Why on a third party? You have VPN logs on Check Point side, and a user is mentioned in the log upon RAS VPN login.

0 Kudos
Marko_Keca
Contributor
‎2021-08-20 04:11 AM
In response to _Val_

Hi Val,

How can I search/parse logs from CLI/Bash? I need to automate it as much as possible.

Customer is using Splunk as SIEM, so there is possibility we can make most of the job there, as logs are already sent to Splunk.
I'm thinking of something like this:
https://community.splunk.com/t5/Splunk-Search/Search-for-Users-that-have-not-Logged-in-in-the-Last-3...

But we don't have access to Splunk, as another team is responsible for it.

If we can automate it somehow on CP only, it would be great, cause then we will not depend on other teams and vendors


Regards,
--
Marko

 

0 Kudos
_Val_
Admin
Admin
‎2021-08-20 04:59 AM
In response to Marko_Keca

You can run a SmartView report and export it to csv. One of the ways is explained in sk117773. Splunk also is a way, of course, if you send the related logs there

0 Kudos