- Products
- Learn
- Local User Groups
- Partners
- More
Access Control and Threat Prevention Best Practices
5 November @ 5pm CET / 11am ET
Ask Check Point Threat Intelligence Anything!
October 28th, 9am ET / 3pm CET
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
Spark Management Portal and More!
Hello,
Is there a way to export a list of Remote VPN users in the local MGMT database which includes last login time etc. ?
Something similar to fwm dbexport.
You can get a list of the users easily enough using the following command:
mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].name
Note: there is no official API support for locally defined users, so "generic objects" have to be used here.
If you have more than 500 users, you will have to execute variants of this command multiple times.
For example, to get the next 500 users:
mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser limit 500 offset 500 | jq .objects[].name
Last login time is not something we store in the user database (generic objects or not), so you'll have to get it from the logs. Couple threads on this:
For those following along at home, here's what the command outputs:
[Expert@sbt-check-point-gw-r8040:0]# fw tab -t userc_users -f -u
  Using cptfmt
Formatting table's data - this might take a while...
localhost:
Date: Mar 19, 2020
3:30:34 5 N/A N/A 192.168.101.253 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; : (+)====================================(+); Table_Name: userc_users; : (+); Attributes: dynamic, id 144, attributes: keep, sync, kbuf 1, local sync, expires 900, , hashsize 16384, limit 10000; LastUpdateTime: 19Mar2020 3:30:34; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
3:30:34 5 N/A N/A 192.168.101.253 > N/A LogId: <max_null>; ContextNum: <max_null>; OriginSicName: <max_null>; SRAddress: 172.16.10.1; Schema: SSL(8); UserName: Bob; UserDN: CN=Bob,CN=Users,DC=ir,DC=local; MyRange:First: ; Last: 255.255.255.255; PeerRange:First: 172.16.10.1; PeerLast: 172.16.10.1; ConnectTime: 1584581121; RouteTraffic: 0; Expires: 900/900; LastUpdateTime: 19Mar2020 3:30:34; ProductName: VPN-1 & FireWall-1; ProductFamily: Network;
The ConnectTime is when the users connected, but it's listed as seconds since the Epoch (Jan 1 1970 @ 00:00:00 GMT).
There are ways to convert this to a usable date/time, I'm sure.
You can get a list of the users easily enough using the following command:
mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].name
Note: there is no official API support for locally defined users, so "generic objects" have to be used here.
If you have more than 500 users, you will have to execute variants of this command multiple times.
For example, to get the next 500 users:
mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser limit 500 offset 500 | jq .objects[].name
Last login time is not something we store in the user database (generic objects or not), so you'll have to get it from the logs. Couple threads on this:
You have to ask for the next 500 results like so:
mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser limit 500 offset 500 | jq .objects[].Name
Note: parent post was edited with this response.
To troubleshoot, we'd probably need to see the output of:
mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[]
But a possible guess is that "Name" is not the same as "name" in some versions, thus try:
mgmt_cli -r true --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].name
Even though there are formal APIs for this as of R80.40 JHF 78, these commands do still work ing R81.10 🙂
@PhoneBoy Indeed using the .name in lowercase did the trick. My aim is to actually grab an output with VPN usernames and their corresponding authentication method. Currently using R80.30.
The output of top command with .objects[] looked like this.
"uid": "0410b75f-1e56-4238-9749-d3fde756287d",
"name": "john",
"type": "CpmiUser",
"domain": {
"uid": "41e821a0-3720-11e3-aa6e-0800200c9fde",
"name": "SMC User",
"domain-type": "domain"
Thank you.
Ok, so that's a little more complicated.
Here how I did that using generic-object API:
mgmt_cli -r true > sid.txt
mgmt_cli -s sid.txt --format json show generic-objects class-name com.checkpoint.objects.classes.dummy.CpmiUser | jq .objects[].uid | while read X ; do
    mgmt_cli -s sid.txt --format json show generic-object uid $X | jq -r '[.cpmiName, .authMethod]|@csv'
done
Just to explain what's happening here:
With the official APIs, which I believe are also in R80.30 with the appropriate JHF level, this can be done in a single call:
mgmt_cli -s sid.txt --format json show users details-level full | jq -r '.objects[] | [.name, ."authentication-method"]|@csv'
Again, if you have more than a handful of users, you may need to use limit/offset parameters to get all the users.
Hello @PhoneBoy - we've been fielding various questions about remote VPN usage metrics and I've been referencing this checkmates thread.
I suggest CP R&D for SmartEvent reporting should take a queue on current global COVID status and provide quick JFA jumbo fix to SmartEvent to add the obvious VPN usage metrics discussed (in thread) in simple point/click report that can be scheduled and sent out via email.
My 0.02 -GA
For R80.30 CP. How to export VPN users indicating their corresponding groups or extracting the groups listing their members
Thank you all for providing updates methods to obtain the necessary information. Is there a way to relatively easily show the following:
1. List of concurrent connections
2. Time of the week which has more usage
3. Average concurrent users
4. Peak concurrent users
5. User average
6. Bandwidth usage
With the COVID-19 virus forcing companies to allow/accept more working from home, the information will become critical to me from a planning perspective.
Thank you,
Scott
I believe the only way to get most of this information is SmartView Monitor.
Refer to the Logging and Reporting guide for your specific version.
Note this may require the Monitoring blade to be enabled on your gateway, which might have a performance impact.
Great question posed by @Scott_Perry1 monitoring remote access VPN usage metrics.
here's link to latest/greatest R80.40 Logging and Monitoring Admin Guide
check the "note" on page // views and reports / Reports
Note - For Security Gateways R77.30 and lower, the ability to generate reports on Firewall and VPN activity is integrated into SmartConsole. To enable this functionality, activate the Firewall session event on the SmartEvent Policy tab. Select and enable Consolidated Sessions > Firewall Session.
The R77.30 reference does remind me of pain experienced by numerous customers when they upgraded SmartEvent/SmartReporter to the new NGSE (and subsequently R80.xx SmartEvent). Incorporating R77.30 SmartReporter features directly into R80.xx SmartEvent (with one database back-end) was good decision but customers did lose functionality (the big taboo).
R77.30 SmartReport included a great per-user report template for remote VPN usage. This report -- and the associated access or similar relevant data -- disappeared with NGSE and the incorporated reporting in R80.xx SmartEvent.
One customer in particular spent lots of cycles talking with R&D. The idea was to understand the R77.30 report and try to replicate in R80.xx SmartEvent. There was not a comprehensive "YES" to everything -- AND -- the various data points were available in various different places and metrics (if I recall correctly).
I don't feel the customer's issues were ever resolved to satisfaction but I do understand some improvements were made with subsequent releases.
However, I would repeat this "should be easier".
Please bring back the R77.30 SmartReport template for remote access VPN usage.
reference:
1. List of concurrent connections
2. Time of the week which has more usage
3. Average concurrent users
4. Peak concurrent users
5. User average
6. Bandwidth usage
I agree, the information available is incomplete and difficult to access. So much so that I am starting to look at other solutions simply because I can not get metrics. The information that seems to be available is poor. While I can get a list of login in events, I have yet to see where I could get a list of concurrent vpn users over time. The issue, in my opinion, seems to be that user VPN is an add on feature to provide convenience for customers. The raw logs are available for you to do what you want with. Actual reports on VPN usage and statistics is lacking.
Jeff
@Jeff_Post. I sympathize. I get distinct feeling that CP really hasn't touched their core VPN functionality for years and effectively missed the mark with R80.xx SmartEvent VPN usage reporting. All the data points that were readily available in consolidated report with R77.xx SmartReport were not ported to new R80.xx SmartEvent reporting (sadly).
I will be creating a new Checkmates topic on this, but here's what I would recommend for current SASE alternatives (complete with Zero-Trust-Network-Access options). In addition, all following have good -- and mature -- multi-factor options that are well documented and mutually supported.
Netskope Private Access
Palo Alto Networks Prisma Access
Perimeter 81
side note: for whatever reason, the go-to-market Cloudguard Connect product doesn't include remote VPN option that I'm aware (ie. cloud-hosted VPN to cloud infrastructure). This is a huge head scratcher. Maybe CP doesn't want to cannibalize their existing MOB customer investments? Maybe the existing CP Cloudguard Connect global footprint is not ready for prime time (ie. points of presence across the globe)? we'll likely never know.
Believe we have started (or will soon) an EA program for CloudGuard Connect for Users.
@Tomer_Sole
It is in the works.
thanks @PhoneBoy and @Tomer_Sole . this can't happen soon enough.
Please insure this SASE solution includes EASY integration with 3rd party cloud-based multi-factor options -- like M$ Azure NPS. The current Azure MFA integration for remote-access is not for the feint of heart. I have talked to customers who attempted to follow the current documentation (provided by support and/or checkmates topics) and my contact got distinct impression that author that not actually tested their solution.
reference:
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension
I need this SmartEvent output in any format other than GUI. XML/FlatFile/CSV, anything that I can use to inject the data into a customers' website in an automated fashion. Why do we need this? Because the customer needs this data for internal reasons that are beyond this thread. Particularly I need to know username and time of connect or duration of connection. Is there truly no way to do this other than to look at a GUI? Any guidance would be greatly appreciated.
hello @Paul_Warnagiris . this is a wonderful use-case. My apologies for ignorance, are you saying the various CLI recommendations provided in thread don't address your needs?
In my dream of dreams, the SmartEvent reports are generated via well documented API queries. Thus, the API is the most mature and documented environment available and everyone is tripping over each other to out-do each other on results.
This is correct. It does not address my problem. I am capable of running Phoneboy's command and grabbing defined users, but not active users. And it doesn't show time connected. Most of the links are for historical reporting, even recently in the last 24 hours, but we are looking for something that is more real time.
This command below seems to have the most promise, but it doesn't show me duration of connection.
fw tab -t userc_rules -f
I get the user connected in the last 15 minutes, but I can't see the connected time.
What I'm trying to do specifically is to get a username and how long connected or when the user connected. And it needs to be something that is scripted. These are two of the data points shown in SmartViewMonitor>Users>All Users.
Unless I'm missing something I don't see it.
Thanks,
Paul
Yes, I'm exactly at the same point as you @Paul_Warnagiris . But different use case.
I'm in the need of getting information, about for example:
- How many users connected in the last 24hours / 8 hours? Which ones?
- How long each user stayed connected before disconnect?
- What resources were accessed by each user?
I was thinking we could get this information via rest api, but sadly we cant.
I'm now thinking to configure log exporter to send data to my splunk instance. However, I'm not sure that the information i need will be there also.
@Buhler I thought this may be of some help if you didn't come across it already. It was passed to me this morning and is coming in handy. I think you can get the number of connected users in 24 or 8 hours easily from SmartEvent, but how long they connected may be more of a challenge.
There is a utility on the gateway that may provide some of what you are asking for. Keep in mind this utility is disabled by default and requires a cpstop/cpstart to enable the utility.
Look for RAsession_util in the R80.10 Mobile Access Guide. https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_MobileAccess_AdminGuide/html...
Keep in mind when searching for RAsession_util in the link above, capitalization matters.
Also SK104644 has this documented on its use and ability to expand the feature and customize it.
Thanks @PhoneBoy 
Either way I think I'll keep the integration with the SIEM, and get the logs from cp log exporter, and create a nice dashboard with all the info I need on the SIEM. Thanks.
Dameon, quick question since you replied. I'm familiar with this command fw tab -t userc_rules -f which will show the username of each "connected" remote access user in the past 15 minutes. I'm also familiar this this command fw tab -t userc_users -s which shows you the number of users presently connected and the high water mark. So I was monkeying around and I used the -f switch on the userc_users and it gives me the exact data that I need. The username and the connect time in epoch time. Doing some math and scripting I can now tell the username and how long they are connected in a format that I can scrape and send to a webserver to be processed. EXACTLY WHAT I NEED.
However, the only problem is fw tab -t userc_users -f doesn't show me the complete output of all users. Presently to this GW there are 77 users connected, but the output of fw tab -t userc_users-f only displays 17 users. Is there another switch or a way to issue this command in order to see all presently connected users in the output format that fw tab -t userc_users -f gives me?
I can't tell you how helpful this would be.
Thanks,
Paul
 
					
				
				
			
		
Leaderboard
Epsum factorial non deposit quid pro quo hic escorol.
| User | Count | 
|---|---|
| 21 | |
| 17 | |
| 7 | |
| 6 | |
| 4 | |
| 4 | |
| 3 | |
| 3 | |
| 2 | |
| 2 | 
Tue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionTue 28 Oct 2025 @ 11:00 AM (EDT)
Under the Hood: CloudGuard Network Security for Google Cloud Network Security Integration - OverviewTue 28 Oct 2025 @ 12:30 PM (EDT)
Check Point & AWS Virtual Immersion Day: Web App ProtectionThu 30 Oct 2025 @ 03:00 PM (CET)
Cloud Security Under Siege: Critical Insights from the 2025 Security Landscape - EMEAThu 30 Oct 2025 @ 11:00 AM (EDT)
Tips and Tricks 2025 #15: Become a Threat Exposure Management Power User!About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY