This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
xoy74
Participant
‎2022-03-15 09:31 AM

Search for a user's last login date/time

Hello,

We have a Checkpoint 5100 Firewall cluster on premise. We have a few hundred users connecting through Endpoint Security to work from home. Many of those have left though and I want to put in place a procedure to clean them up. So I basically want to delete anyone who hasn't logged in in the last 60 days or so.

Right now the only way I know to do that is to take each account and manually search in the Logs section of the Smart Console for their username and something like Action:"Log In", with a set interval of the last 2 months, which will give me their last few logins.

Is there a way to run the same log search query from SSH, in expert mode ? If I could do that, I can get a list of users as a text file and write a simple script to run through the whole list.

Thanks for any pointers and Best Regards.

0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-03-15 06:03 PM

What authentication method is used for these users out of interest - Active Directory, Radius or other?

CCSM R77/R80/ELITE
0 Kudos
xoy74
Participant
‎2022-03-15 08:02 PM
In response to Chris_Atkinson

They use PKCS #12 certificates.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-15 07:38 PM

Use the 'fw log' command and grep through the output: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
See also CPLogFilePrint: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

0 Kudos
xoy74
Participant
‎2022-03-15 08:27 PM
In response to PhoneBoy

Thanks very much for the reply. Unfortunately I had no luck trying to figure out the syntax of a query similar to what I am using in the Smart Console. In the smart console I am simply selecting a date range and entering something like "action:"Log In" username".

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-15 09:02 PM
In response to xoy74

You have two issues here:

  • You will need to pipe the output through the "grep" command to pull out the relevant log entries. This is standard Unix command line foo.
  • fw log and CPLogFilePrint only work on the current log file. You will have to run this on multiple log files in succession to get the last 60 days.

If you're using R81 and above, you can use the show logs API, which can also be called via the CLI.
This supports queries similar to SmartConsole.
See: https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-logs~v1.8%20 

0 Kudos
SSlater
Employee
Employee
‎2022-03-15 10:40 PM

I've been seeing more customers using API for actions like this recently, If PhoneBoy's Logprint commands dont work out, you might be able to leverage this from another device, through API.

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_LoggingAndMonitoring_AdminGuide/To...

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-16 07:07 AM
In response to SSlater

I mentioned that exact API above 🙂

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events