I appears that many folks are appear to be having issues with usable reporting for understanding current number of active remote access users. From tomorrow my organisation will work remotely and I have to manually pull and record data for dash board reporting. I know that you can use SmartConsole >>> New Tab >>> Tunnel & User Monitoring to view real-time or historical reporting but the Active RA Tunnels Sessions information appear to incorrect (we have logged a ticket). So we use "fw tab -t userc_users -s" at various intervals to get a more accurate number of active users.
For Auditing purposes , my organisation would like to know user activity such as when and how long a user was connected. As we don't have all log events going to the SIEM, on a daily basis in the Web SmaryView, I use the the following filter in Logs to get the previous days sessions, blade:"Mobile Access" AND action:("Log In" OR "Log Out" OR "Failed Log In") , I export this to excel import in the MS Access, Join the Log In and Log Out events by Session ID, the report is almost done.
Problem is that I have noticed that some Log In events do not have a matching Log Out event. In most cases there is a Session timeout or User has signed off Log Out event. The Log In (Row 2) event in the list below has no Log Out event. I assume that the session was interrupted. As there is a new Log In (row 3) 5 hours later so the assumption is there must be a log out or is it a reestablishment of the previous session with a laptop going to sleep, but then the duration does not match. nor do the session ID
User | Action | Time | Status | Action | Time | Duration | Reason for Failure | Session ID |
Dummy User | Log In | 22/03/2020 20:48:55 | Success | Log Out | 23/03/2020 04:48:52 | 28800 | Session timeout | 5E773487-0000-0000-A884-0221FD4E0000 |
Dummy User | Log In | 23/03/2020 05:53:25 | Success | | | | | 5E77B425-0000-0000-A884-0221FD4E0000 |
Dummy User | Log In | 23/03/2020 10:51:14 | Success | Log Out | 23/03/2020 11:15:43 | 1500 | User has signed off | 5E77F9F2-0000-0000-A884-0221FD4E0000
|
Dummy User | Log In | 23/03/2020 11:18:34 | Success | Log Out | 23/03/2020 19:18:29 | 28800 | Session timeout | 5E78005A-0000-0000-A884-0221FD4E0000
|
| | | | | | | | |
Please could anyone confirm if the missing log out event is normal behaviour? Is anyone else having an issue regarding the incorrect Active RA Tunnels vs "fw tab -t userc_users -s"