Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lucafabbri365
Collaborator

Mobile Access Log In and Log Out

Hello Community,
I'm writing to ask for a question regarding Mobile Access login and logout events.

The main objective is to retrieve login and logout events for all VPN client users and the VPN client version. I understand the "logout" event could have multiple reasons: session timeout, manual disconnection (by end-user).

Environment Description

- Check Point R80.20 Take 80 (1 VM Security Managements and 2 physical cluster nodes - Open Server)
- LDAP authentication
- VPN client: Check Point Remote Access VPN client (Windows) - product: Check Point Mobile

 01-Check Point Remote Access.PNG

- Log Generation: per Connection

I started to looking at login events in SmartConsole logs but I found a "strange" behavior for some users, sometimes.

Example 1

- Filter: blade:("Mobile access") AND action:"Log In" and User01
- Time range: yesterday (2020-05-14)

As you can notice by results, there is only one login event related to User01 matching the filter (I removed some parts for privacy - see the attached screenshot 01-User01 login events - SmartConsole Log.png):

02-UserA login events - SmartConsole Log.PNG

Now the User01 connected to VPN in the afternoon (16:31) but also in the morning (!!!) at 08:35 (+/-), but there is no trace in the log. I tried to modify the filter including the Identity Awareness blade too:

- Filter: blade:("Mobile access" or "Identity Awareness") AND action:"Log In" and User01
- Time range: yesterday (2020-05-13)

This time I get more results (see the attached screenshot 02-User01 login events - SmartConsole Log.png):

03-UserA login events - SmartConsole Log.PNG

The user authenticated at 08:36 in Active Directory (because connected to VPN). 
If I change the time range for the same user (today - 2020-05-14) I found expected login entries for Mobile Access blade (see the attached screenshot 03-User01 login events - SmartConsole Log.png):

03-User01 login events - SmartConsole Log.PNG

Question: WHY, sometimes, for some users, I have no trace for Mobile Access blade ?

Example 2

If I search for another user User02 (mine) it is working as expected: I notice three entries related to logins: one for blade Mobile Access and the other two for Identity Awareness (see the attached screenshot 04-User02 login events - SmartConsole Log.png):

- Filter: blade:("Mobile access" or "Identity Awareness") AND action:"Log In" and User02
- Time range: yesterday (2020-05-14)

03-User02 login events - SmartConsole Log.PNG

Please, can you give me your opinion ?

Thank you,
Luca

0 Kudos
4 Replies
Timothy_Hall
Legend Legend
Legend

This sounds quite similar to:

https://community.checkpoint.com/t5/Logging-and-Reporting/Remote-vpn-login-logs-are-rewrite-after-au...

May want to post in that thread and see if the TAC has gotten involved.

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
lucafabbri365
Collaborator

Hello Timothy,
thank you for your answer.
Yes, it seems to be similar to the other post; I'll write there.

At meanwhile I opened a support ticket.

I just checked the login events (blade:"Mobile Access") for UserA this morning (2020-05-14) and I found an entry at 08:35 (+/-) and re-checked it in the afternoon: it disappeared; maybe overwritten by a new entry at 4:36pm (WHY ?!?).

UserB (mine), for example, is not affected by this behavior; I found two entries, one at 09:09 and the other at 5.45pm and they correspond to login I made through Check Point VPN client.

Bye,
Luca

 

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure this is log consolidation taking place.
TAC should be able to confirm if this is expected behavior or not.
0 Kudos
lucafabbri365
Collaborator

Hello @PhoneBoy,

if that's the case, it would be nice to understand why it doesn't happen for ALL (look at my post: UserA affected, UserB not affected).

Let's wait the support and I'll give write feedback here.

Thank you,
Luca

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events