This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
teereepee
Explorer
‎2020-03-23 06:31 AM

No Log Out Event for Remote Access user Session (r80.20)

I appears that many folks are appear to be having issues with usable reporting for understanding current number of active remote access users. From tomorrow my organisation will work remotely and I have to manually pull and record data for dash board reporting. I know that you can use SmartConsole >>> New Tab >>> Tunnel & User Monitoring to view real-time or historical reporting but the Active RA Tunnels Sessions information appear to incorrect (we have logged a ticket).  So we use "fw tab -t userc_users -s" at various intervals to get a more accurate number of active users.

For Auditing purposes , my organisation would like to know user activity such as when and how long a user was connected. As we don't have all log events going to the SIEM, on a daily basis in the Web SmaryView, I use the the following filter in Logs to get the previous days sessions, blade:"Mobile Access" AND action:("Log In" OR "Log Out" OR "Failed Log In") , I export this to excel import in the MS Access, Join the Log In and Log Out events by Session ID, the report is almost done.

Problem is that I have noticed that some Log In events do not have a matching Log Out event. In most cases there is a Session timeout or User has signed off Log Out event. The Log In (Row 2) event in the list  below has no Log Out event. I assume that the session was interrupted. As there is a new Log In (row 3) 5 hours later so the assumption is there must be a log out or is it a reestablishment of the previous session with a laptop going to sleep, but then the duration does not match. nor do the session ID

UserActionTimeStatusActionTimeDurationReason for FailureSession ID
Dummy UserLog In22/03/2020 20:48:55SuccessLog Out23/03/2020 04:48:5228800Session timeout5E773487-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 05:53:25Success    5E77B425-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 10:51:14SuccessLog Out23/03/2020 11:15:431500User has signed off5E77F9F2-0000-0000-A884-0221FD4E0000
Dummy UserLog In23/03/2020 11:18:34SuccessLog Out23/03/2020 19:18:2928800

Session timeout

5E78005A-0000-0000-A884-0221FD4E0000

       

 

 

 

Please could anyone confirm if the missing log out event is normal behaviour? Is anyone else having an issue regarding the incorrect Active RA Tunnels vs "fw tab -t userc_users -s"

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2020-03-24 03:12 PM

Log Out events are only generated when the server receives notification from the client they are disconnecting.
That can happen for a lot of reasons and is normal.
For the same reason, it will impact the accuracy of things like counting the number of entries in userc_rules, which contains information on VPN clients that have been connected in the last 15 minutes.
However, the userc_rules table is likely the most accurate measure.

There is a setting (Global Properties, I think) that limits users to a single VPN session at a time.
This is likely a good idea for security reasons and I suspect this will also generate a Log Off event for sessions that are still active by that user (e.g. due to temporary disconnection).
0 Kudos
teereepee
Explorer
‎2020-03-24 03:32 PM
In response to PhoneBoy

Thank you very much for the reply and I assume that to be the case, I found last night it appears that log in sessions are also mssing1. I logged in at 06:53 AM (No event), refreshed log in 14:50 (event present) and refreshed log in at 22:47 (event present). This really makes it difficult to get an accurate picture. We will have a look global setting.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events