This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tobias_Moritz
Advisor
‎2020-03-11 03:18 AM
Jump to solution

Query RAS user count using API

Hello community,

does anybody know a way to query the count of current RAS users using the API?

I guess during the current time of extended home office working due to pandemic precautions, having a good overview over the current RAS user count per gateway is helpfull.

I'm aware of sk54641, but the value retrievable via SNMP is just wrong. Its the same wrong number, SmartConsole/SmartViewMonitor/GaiaDashboard is showing as Active Tunnels - Remote Access. The table Users by Gateway in SmartViewMonitor is showing the correct number (when counting the lines).

See here the CLI output:

 

fw tab -t userc_users -s
HOST NAME ID #VALS #PEAK #SLINKS
localhost userc_users 165 554 662 0

iso.3.6.1.4.1.2620.1.2.5.4.23.0 = Counter64: 2245

 

The value 554 is the correct one. 2245 is just wrong and I have no idea, how this number is calculated.

Just plain old IPSecVPN blade here, if this is important. No MobileAccess blade. All users are using current Endpoint VPN Security Client and Office Mode.

As long as this ?bug? is not fixed, we need a way to retrieve the correct number remotely.

Btw, has anybody experience with NRPE or something like that on GAIA?

Thanks for any ideas!

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2020-03-11 05:46 AM
In response to Tobias_Moritz
Jump to solution

I thought you already have REST API based solution and want to get the date this way. 

From where I stand, you could run Ansible or Terraform, or any other popular tools to retrieve the data. In addition, similar API call is available directly from GAIA OS API: https://sc1.checkpoint.com/documents/latest/APIs/#clish/run-script~v1.6%20

For API calls, you need an admin account and client defined. You can also run mgmt_cli tool on the management itself.

It is a good idea, actually, cause you could use the default admin for auth with mgmt_cli, and then SIC auth (no additional admin credentials) to reach out to GWs and run the scripts there. ./jq or basic grep would do the rest.

If you do not want to invest time and efforts into Orchestration tools at this point, simple python based scripts would do the trick.

Or, the laziest way is to use technique described here: 

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/GAIA-Easy-execute-CLI-commands-on...


View solution in original post

0 Kudos
9 Replies
G_W_Albrecht
Legend Legend
Legend
‎2020-03-11 03:29 AM
Jump to solution

fw tab is the best command for this purpose - see         Remote Access Users license + count                for other possible parameters and outputs !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Tobias_Moritz
Advisor
‎2020-03-11 03:33 AM
In response to G_W_Albrecht
Jump to solution

Thank you, Albrecht, for this quick reply, but this is what I know already: fw tab is giving the correct information.

The question was, how to retrieve this value remotely. From a system monitoring platform like HP OpenView, Solar Winds, Icinga or whatever.

0 Kudos
_Val_
Admin
Admin
‎2020-03-11 05:04 AM
In response to Tobias_Moritz
Jump to solution

You can use mgmt_cli run-script command, look here for more details: https://sc1.checkpoint.com/documents/latest/APIs/#cli/run-script~v1.6%20

 

0 Kudos
Tobias_Moritz
Advisor
‎2020-03-11 05:21 AM
In response to _Val_
Jump to solution

That could work, thank you, Val.

We would need to make mgmt_cli runnable on a non Check Point Linux host (monitoring worker plattform) and it is a quite costly operation to just retrieve a single value (create session with management which creates session with gateway (I hope not in using CPMI)), but it should work. From a security point of view, I have concerns. What kind of permissions would be needed for mgmt_cli run-script on a gateway target and it is a good idea to provide such high priviledge credentials to a monitoring plattform?

BTW, any idea, why the values retrievable by SNMP and GUI tools are wrong?

0 Kudos
_Val_
Admin
Admin
‎2020-03-11 05:46 AM
In response to Tobias_Moritz
Jump to solution

I thought you already have REST API based solution and want to get the date this way. 

From where I stand, you could run Ansible or Terraform, or any other popular tools to retrieve the data. In addition, similar API call is available directly from GAIA OS API: https://sc1.checkpoint.com/documents/latest/APIs/#clish/run-script~v1.6%20

For API calls, you need an admin account and client defined. You can also run mgmt_cli tool on the management itself.

It is a good idea, actually, cause you could use the default admin for auth with mgmt_cli, and then SIC auth (no additional admin credentials) to reach out to GWs and run the scripts there. ./jq or basic grep would do the rest.

If you do not want to invest time and efforts into Orchestration tools at this point, simple python based scripts would do the trick.

Or, the laziest way is to use technique described here: 

https://community.checkpoint.com/t5/Enterprise-Appliances-and-Gaia/GAIA-Easy-execute-CLI-commands-on...


0 Kudos
Tobias_Moritz
Advisor
‎2020-03-12 12:34 AM
In response to _Val_
Jump to solution

You're right, there is of course no need to use mgmt_cli, as run-script is also available over API web service. Not sure, why I didn't had that idea yesterday. Thanks also for hinting me to all the other options we have!

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-11 05:23 PM
Jump to solution

If SNMP is returning wrong data a TAC case is in order.
0 Kudos
HristoGrigorov
Mentor
Mentor
‎2020-03-15 11:58 PM
Jump to solution

Btw, OID .1.3.6.1.4.1.2620.1.2.5.4.23 surprisingly works on SMB but it only counts users with built-in accounts. Those that are using their domain ones are not counted.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top