Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moe_89
Contributor
Jump to solution

Remote VPN users report

Hello,

Is there a way to export a list of Remote VPN users in the local MGMT database which includes last login time etc. ?

Something similar to fwm dbexport.

4 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

You can get a list of the users easily enough using the following command:

mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].name

Note: there is no official API support for locally defined users, so "generic objects" have to be used here.
If you have more than 500 users, you will have to execute variants of this command multiple times.
For example, to get the next 500 users:

mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser limit 500 offset 500 | jq .objects[].name

Last login time is not something we store in the user database (generic objects or not), so you'll have to get it from the logs. Couple threads on this:

View solution in original post

PhoneBoy
Admin
Admin
0 Kudos
PhoneBoy
Admin
Admin

For those following along at home, here's what the command outputs:

[Expert@sbt-check-point-gw-r8040:0]# fw tab -t userc_users -f -u
  Using cptfmt
Formatting table's data - this might take a while...

localhost:
Date: Mar 19, 2020
3:30:34 5 N/A N/A 192.168.101.253 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : (+)====================================(+); Table_Name: userc_users; : (+); Attributes: dynamic, id 144, attributes: keep, sync, kbuf 1, local sync, expires 900, , hashsize 16384, limit 10000; LastUpdateTime: 19Mar2020 3:30:34; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

3:30:34 5 N/A N/A 192.168.101.253 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; SRAddress: 172.16.10.1; Schema: SSL(8); UserName: Bob; UserDN: CN=Bob,CN=Users,DC=ir,DC=local; MyRange:First: ; Last: 255.255.255.255; PeerRange:First: 172.16.10.1; PeerLast: 172.16.10.1; ConnectTime: 1584581121; RouteTraffic: 0; Expires: 900/900; LastUpdateTime: 19Mar2020 3:30:34; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;

The ConnectTime is when the users connected, but it's listed as seconds since the Epoch (Jan 1 1970 @ 00:00:00 GMT).
There are ways to convert this to a usable date/time, I'm sure.

View solution in original post

PhoneBoy
Admin
Admin
0 Kudos
47 Replies
PhoneBoy
Admin
Admin

You can get a list of the users easily enough using the following command:

mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].name

Note: there is no official API support for locally defined users, so "generic objects" have to be used here.
If you have more than 500 users, you will have to execute variants of this command multiple times.
For example, to get the next 500 users:

mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser limit 500 offset 500 | jq .objects[].name

Last login time is not something we store in the user database (generic objects or not), so you'll have to get it from the logs. Couple threads on this:

Scott_Perry1
Participant

PhoneBoy,

 

Tried the command, it errored out (image attached).  Am in expert mode.  Here is the error.  Thank you for your time.

 

0 Kudos
Andres_Solari
Participant
Hello, how i can list 700 users, where i must put the offset command. Thanks in advance.
0 Kudos
Andres_Solari
Participant
I resolved, with the next command "mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser limit 500 offset 0 | jq .objects []. Name" but have 760 users, how can I fix it? thanks in advance
PhoneBoy
Admin
Admin

You have to ask for the next 500 results like so:
mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser limit 500 offset 500 | jq .objects[].Name

Note: parent post was edited with this response.

0 Kudos
Andres_Solari
Participant
Thanks for the solution!!
0 Kudos
Ricardo_Sichera
Explorer

Apologies but I read the entire thread and can't seem to get any meaningful output from the mgmt_cli command.  Attached error shows Null for all entries.  I tried using the offset command to gather later results but the same experience.

0 Kudos
PhoneBoy
Admin
Admin

To troubleshoot, we'd probably need to see the output of:

mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[]

But a possible guess is that "Name" is not the same as "name" in some versions, thus try:

mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].name

Even though there are formal APIs for this as of R80.40 JHF 78, these commands do still work ing R81.10 🙂

0 Kudos
Ricardo_Sichera
Explorer

@PhoneBoy  Indeed using the .name in lowercase did the trick.  My aim is to actually grab an output with VPN usernames and their corresponding authentication method.  Currently using R80.30.

The output of top command with .objects[] looked like this.

"uid": "0410b75f-1e56-4238-9749-d3fde756287d",
"name": "john",
"type": "CpmiUser",
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"

Thank you.

0 Kudos
PhoneBoy
Admin
Admin

Ok, so that's a little more complicated.
Here how I did that using generic-object API:

mgmt_cli -r true > sid.txt
mgmt_cli -s sid.txt --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].uid | while read X ; do
    mgmt_cli -s sid.txt --format json show generic-object uid $X | jq -r '[.cpmiName, .authMethod]|@csv'
done

Just to explain what's happening here:

  • Creating a session token that we'll re-use
  • Get the UID of the different users
  • Query each generic-object by UID to get the user details
  • Pipe to jq to output the name and authentication method in a CSV format

With the official APIs, which I believe are also in R80.30 with the appropriate JHF level, this can be done in a single call:

mgmt_cli -s sid.txt --format json show users details-level full | jq -r '.objects[] | [.name, ."authentication-method"]|@csv'

Again, if you have more than a handful of users, you may need to use limit/offset parameters to get all the users.

0 Kudos
Garrett_DirSec
Advisor

Hello @PhoneBoy -  we've been fielding various questions about remote VPN usage metrics and I've been referencing this checkmates thread.

I suggest CP R&D for SmartEvent reporting should take a queue on current global COVID status and provide quick JFA jumbo fix to SmartEvent to add the obvious VPN usage metrics discussed (in thread) in simple point/click report that can be scheduled and sent out via email.

My 0.02  -GA

PhoneBoy
Admin
Admin
badz
Explorer

For R80.30 CP. How to export VPN users indicating their corresponding groups or extracting the groups listing their members

Scott_Perry1
Participant

Thank you all for providing updates methods to obtain the necessary information.  Is there a way to relatively easily show the following:

1. List of concurrent connections

2. Time of the week which has more usage

3. Average concurrent users

4. Peak concurrent users

5. User average

6. Bandwidth usage

 

With the COVID-19 virus forcing companies to allow/accept more working from home, the information will become critical to me from a planning perspective.

 

Thank you,

 

Scott

PhoneBoy
Admin
Admin

I believe the only way to get most of this information is SmartView Monitor.

  • Open SmartConsole > Logs & Monitor.
  • Open the catalog (new tab).
  • Click Tunnel & User Monitoring.

Refer to the Logging and Reporting guide for your specific version.
Note this may require the Monitoring blade to be enabled on your gateway, which might have a performance impact.

0 Kudos
Garrett_DirSec
Advisor

Great question posed by @Scott_Perry1 monitoring remote access VPN usage metrics. 

here's link to latest/greatest R80.40 Logging and Monitoring Admin Guide

check the "note" on page // views and reports / Reports

Note - For Security Gateways R77.30 and lower, the ability to generate reports on Firewall and VPN activity is integrated into SmartConsole. To enable this functionality, activate the Firewall session event on the SmartEvent Policy tab. Select and enable Consolidated Sessions > Firewall Session.

The R77.30 reference does remind me of pain experienced by numerous customers when they upgraded SmartEvent/SmartReporter to the new NGSE (and subsequently R80.xx SmartEvent).     Incorporating R77.30 SmartReporter features directly into R80.xx SmartEvent (with one database back-end) was good decision but customers did lose functionality (the big taboo).

R77.30 SmartReport included a great per-user report template for remote VPN usage.    This report -- and the associated access or similar relevant data -- disappeared with NGSE and the incorporated reporting in R80.xx SmartEvent. 

One customer in particular spent lots of cycles talking with R&D.  The idea was to understand the R77.30 report and try to replicate in R80.xx SmartEvent.     There was not a comprehensive "YES" to everything -- AND -- the various data points were available in various different places and metrics (if I recall correctly).  

I don't feel the customer's issues were ever resolved to satisfaction but I do understand some improvements were made with subsequent releases.  

However, I would repeat this "should be easier".  

Please bring back the R77.30 SmartReport template for remote access VPN usage. 

 

 

reference:

1. List of concurrent connections

2. Time of the week which has more usage

3. Average concurrent users

4. Peak concurrent users

5. User average

6. Bandwidth usage

Jeff_Post
Participant

I agree, the information available is incomplete and difficult to access.  So much so that I am starting to look at other solutions simply because I can not get metrics.  The information that seems to be available is poor.  While I can get a list of login in events, I have yet to see where I could get a list of concurrent vpn users over time.  The issue, in my opinion, seems to be that user VPN is an add on feature to provide convenience for customers.  The raw logs are available for you to do what you want with.  Actual reports on VPN usage and statistics is lacking.

 

Jeff

0 Kudos
Garrett_DirSec
Advisor

@Jeff_Post.  I sympathize.  I get distinct feeling that CP really hasn't touched their core VPN functionality for years and effectively missed the mark with R80.xx SmartEvent VPN usage reporting.   All the data points that were readily available in consolidated report with R77.xx SmartReport were not ported to new R80.xx SmartEvent reporting (sadly).

I will be creating a new Checkmates topic on this, but here's what I would recommend for current SASE alternatives (complete with Zero-Trust-Network-Access options).   In addition, all following have good -- and mature -- multi-factor options that are well documented and mutually supported. 

Netskope Private Access

Palo Alto Networks Prisma Access

Perimeter 81

side note:  for whatever reason, the go-to-market Cloudguard Connect product doesn't include remote VPN option that I'm aware (ie.  cloud-hosted VPN to cloud infrastructure).  This is a huge head scratcher.    Maybe CP doesn't want to cannibalize their existing MOB customer investments?  Maybe the existing CP Cloudguard Connect global footprint is not ready for prime time (ie.  points of presence across the globe)?    we'll likely never know.

0 Kudos
PhoneBoy
Admin
Admin

Believe we have started (or will soon) an EA program for CloudGuard Connect for Users.
@Tomer_Sole

Tomer_Sole
Mentor
Mentor

It is in the works. 

Garrett_DirSec
Advisor

thanks @PhoneBoy and @Tomer_Sole .   this can't happen soon enough.  

Please insure this SASE solution includes EASY integration with 3rd party cloud-based multi-factor options -- like M$ Azure NPS.    The current Azure MFA integration for remote-access is not for the feint of heart.   I have talked to customers who attempted to follow the current  documentation (provided by support and/or checkmates topics) and my contact got distinct impression that author that not actually tested their solution. 

reference:

https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

0 Kudos
Paul_Warnagiris
Advisor

I need this SmartEvent output in any format other than GUI.  XML/FlatFile/CSV, anything that I can use to inject the data into a customers' website in an automated fashion.  Why do we need this?  Because the customer needs this data for internal reasons that are beyond this thread.  Particularly I need to know username and time of connect or duration of connection.  Is there truly no way to do this other than to look at a GUI?  Any guidance would be greatly appreciated.

0 Kudos
Garrett_DirSec
Advisor

hello @Paul_Warnagiris .   this is a wonderful use-case.     My apologies for ignorance, are you saying the various CLI recommendations provided in thread don't address your needs?  

In my dream of dreams, the SmartEvent reports are generated via well documented API queries.  Thus, the API is the most mature and documented environment available and everyone is tripping over each other to out-do each other on results. 

 

0 Kudos
Paul_Warnagiris
Advisor

This is correct.  It does not address my problem.  I am capable of running Phoneboy's command and grabbing defined users, but not active users.  And it doesn't show time connected.  Most of the links are for historical reporting, even recently in the last 24 hours, but we are looking for something that is more real time.

This command below seems to have the most promise, but it doesn't show me duration of connection.

fw tab -t userc_rules -f

I get the user connected in the last 15 minutes, but I can't see the connected time.

What I'm trying to do specifically is to get a username and how long connected or when the user connected.  And it needs to be something that is scripted.  These are two of the data points shown in SmartViewMonitor>Users>All Users.

Unless I'm missing something I don't see it.

Thanks,
Paul

 

0 Kudos
Buhler
Explorer

Yes, I'm exactly at the same point as you @Paul_Warnagiris . But different use case.
I'm in the need of getting information, about for example:

- How many users connected in the last 24hours / 8 hours? Which ones?

- How long each user stayed connected before disconnect?

- What resources were accessed by each user?

I was thinking we could get this information via rest api, but sadly we cant.

I'm now thinking to configure log exporter to send data to my splunk instance. However, I'm not sure that the information i need will be there also. 

0 Kudos
Paul_Warnagiris
Advisor

@Buhler I thought this may be of some help if you didn't come across it already.  It was passed to me this morning and is coming in handy.  I think you can get the number of connected users in 24 or 8 hours easily from SmartEvent, but how long they connected may be more of a challenge. 

There is a utility on the gateway that may provide some of what you are asking for.  Keep in mind this utility is disabled by default and requires a cpstop/cpstart to enable the utility

Look for RAsession_util in the R80.10 Mobile Access Guide. https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_MobileAccess_AdminGuide/html...

Keep in mind when searching for RAsession_util in the link above, capitalization matters.

Also SK104644 has this documented on its use and ability to expand the feature and customize it.

PhoneBoy
Admin
Admin
0 Kudos
Buhler
Explorer

Thanks @PhoneBoy 
Either way I think I'll keep the integration with the SIEM, and get the logs from cp log exporter, and create a nice dashboard with all the info I need on the SIEM. Thanks.

0 Kudos
Paul_Warnagiris
Advisor

Dameon, quick question since you replied.  I'm familiar with this command fw tab -t userc_rules -f which will show the username of each "connected" remote access user in the past 15 minutes.   I'm also familiar this this command fw tab -t userc_users -s which shows you the number of users presently connected and the high water mark.  So I was monkeying around and I used the -f switch on the userc_users and it gives me the exact data that I need.  The username and the connect time in epoch time.  Doing some math and scripting I can now tell the username and how long they are connected in a format that I can scrape and send to a webserver to be processed. EXACTLY WHAT I NEED.

However, the only problem is fw tab -t userc_users -f doesn't show me the complete output of all users.  Presently to this GW there are 77 users connected, but the output of fw tab -t userc_users-f only displays 17 users.  Is there another switch or a way to issue this command in order to see all presently connected users in the output format that fw tab -t userc_users -f gives me?

I can't tell you how helpful this would be.

Thanks,
Paul

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events