Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
lucafabbri365
Collaborator

Mobile Access Log In and Log Out

Hello Community,
I'm writing to ask for a question regarding Mobile Access login and logout events.

The main objective is to retrieve login and logout events for all VPN client users and the VPN client version. I understand the "logout" event could have multiple reasons: session timeout, manual disconnection (by end-user).

Environment Description

- Check Point R80.20 Take 80 (1 VM Security Managements and 2 physical cluster nodes - Open Server)
- LDAP authentication
- VPN client: Check Point Remote Access VPN client (Windows) - product: Check Point Mobile

 01-Check Point Remote Access.PNG

- Log Generation: per Connection

I started to looking at login events in SmartConsole logs but I found a "strange" behavior for some users, sometimes.

Example 1

- Filter: blade:("Mobile access") AND action:"Log In" and User01
- Time range: yesterday (2020-05-14)

As you can notice by results, there is only one login event related to User01 matching the filter (I removed some parts for privacy - see the attached screenshot 01-User01 login events - SmartConsole Log.png):

02-UserA login events - SmartConsole Log.PNG

Now the User01 connected to VPN in the afternoon (16:31) but also in the morning (!!!) at 08:35 (+/-), but there is no trace in the log. I tried to modify the filter including the Identity Awareness blade too:

- Filter: blade:("Mobile access" or "Identity Awareness") AND action:"Log In" and User01
- Time range: yesterday (2020-05-13)

This time I get more results (see the attached screenshot 02-User01 login events - SmartConsole Log.png):

03-UserA login events - SmartConsole Log.PNG

The user authenticated at 08:36 in Active Directory (because connected to VPN). 
If I change the time range for the same user (today - 2020-05-14) I found expected login entries for Mobile Access blade (see the attached screenshot 03-User01 login events - SmartConsole Log.png):

03-User01 login events - SmartConsole Log.PNG

Question: WHY, sometimes, for some users, I have no trace for Mobile Access blade ?

Example 2

If I search for another user User02 (mine) it is working as expected: I notice three entries related to logins: one for blade Mobile Access and the other two for Identity Awareness (see the attached screenshot 04-User02 login events - SmartConsole Log.png):

- Filter: blade:("Mobile access" or "Identity Awareness") AND action:"Log In" and User02
- Time range: yesterday (2020-05-14)

03-User02 login events - SmartConsole Log.PNG

Please, can you give me your opinion ?

Thank you,
Luca

0 Kudos
4 Replies
This widget could not be displayed.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events