Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tomas_Vobruba
Employee
Employee
Jump to solution

SmartView VPN Client enhanced view

Hi all,

 

I god lot of questions from my customers how to get some data about usage of Remote access VPN.

In these times with Corona issue many of the customers allowed HomeOffce and they would like to know who is really using, how and if they are using Remote VPN.

 

Since almost all of them are already using R80.10+ capabilities, it is quite easy to create such view.

In R80.30 and up is a default Remote VPN view.

 

I have change it to following lookout.:

Tomas_Vobruba_0-1584651578068.png

 

 

As you can see. You will have:

- total time spend on VPN

- transferred total bytes.

- number of logs

- blade used

- client used for connection (workspace, endpoint, snx, etc)

- login fails and realauth schemes

To work it correctly you have to enable specific policy in SME:

 

Tomas_Vobruba_2-1584650373058.png

 

Tomas_Vobruba_3-1584650380696.png

 

Do not forget to install policy

Also for enhanced visibility you probably need to change remote access rules following logging:

 
 
 
 

Tomas_Vobruba_1-1584651043667.png

 

If you would like to see only Office mode addresses and how only them are used, add the following filter in the highlighted widget from the first picture. (Change src network to your officemode network definition).

 

Tomas_Vobruba_2-1584651059369.png

 

I'm looking forward for next enhancements. Report is attached in zip file to this article

 

Cheers Tomas

 

1 Solution

Accepted Solutions
Paul_Warnagiris
Advisor

Good work.  But I have to be honest.  My clients want to know two things.  How many people are connected right now (and they want updates that range from every 10 minutes to every hour) and they also want to know how long each user is connected.  So number of logs and number of sessions, how much data, which blade, etc., are great because that's what you can easily pull in SE, but that's not what the people wanted in this crisis (at least the vast majority of the ones I've dealt with).  They are more concerned with number of users currently on a specific GW and if they need to bounce some and have them connect to another and how long have they been connected.

I recommended things like cut down the connect time and have them re-authenticate to looking at total number of OM IPs used and in this time of crisis they have very specific wants and needs.  Some of them are rational IMHO and some are not, but those were the two things everyone wanted.  Literally everyone. And it seems to me that that ask was not out of the question. It was not possible to get easily from Check Point.  I finally figured it out, but it took some time and was not point and click.

I had one customer that has a watch command running and every 10 minutes and he updates a spread sheet from 9 different gateways (every 10 minutes).  Not too scalable.  As with all crises we will learn lessons and grow stronger.  I hope Check Point takes a good hard look at their C2S/RA reporting capabilities.  Even with API scripting this was not possible as we all know.

View solution in original post

30 Replies
MikeB
Advisor
This is very useful! Thanks a lot!
0 Kudos
PhoneBoy
Admin
Admin
Seriously, well done and thanks for putting this together!
Peter_Elmer
Employee
Employee
Great Posting!!
0 Kudos
Saagarg007
Contributor

Is there any way of getting total no.of vpn users who are connected currently in this view? its just showing logs at the moment

Pedro_Espindola
Advisor

Very nice! Thank you!

The only issue for me is the duration column. It doesn't make much sense getting the sum of session duration field.

In the last 24 hours I get users that have a 484h duration. This happens because all my traffic is routed through the firewall.

For people with split tunnel, the duration might be low and they might think this is the connection duration, which is not true.

 

0 Kudos
Tomas_Vobruba
Employee
Employee
Well, as I wrote, you can limit report by easy custom comon filter where you will include only office mode addresses.

For my purpose customer wanted to know every kind of traffic.
And yes, in this case, total time could be high.
0 Kudos
Paul_Warnagiris
Advisor

Good work.  But I have to be honest.  My clients want to know two things.  How many people are connected right now (and they want updates that range from every 10 minutes to every hour) and they also want to know how long each user is connected.  So number of logs and number of sessions, how much data, which blade, etc., are great because that's what you can easily pull in SE, but that's not what the people wanted in this crisis (at least the vast majority of the ones I've dealt with).  They are more concerned with number of users currently on a specific GW and if they need to bounce some and have them connect to another and how long have they been connected.

I recommended things like cut down the connect time and have them re-authenticate to looking at total number of OM IPs used and in this time of crisis they have very specific wants and needs.  Some of them are rational IMHO and some are not, but those were the two things everyone wanted.  Literally everyone. And it seems to me that that ask was not out of the question. It was not possible to get easily from Check Point.  I finally figured it out, but it took some time and was not point and click.

I had one customer that has a watch command running and every 10 minutes and he updates a spread sheet from 9 different gateways (every 10 minutes).  Not too scalable.  As with all crises we will learn lessons and grow stronger.  I hope Check Point takes a good hard look at their C2S/RA reporting capabilities.  Even with API scripting this was not possible as we all know.

Peter_Elmer
Employee
Employee
Pawel_Szetela
Contributor

Hi,

Good point. That's my case too. We have may users with Mobile Access, Mobile Access with SNX and VPN/Endpoint. There is no way to report how many unique users are connected using SmartView/Report in timeline. It would be useful to tell if this numbers are growing, if we need more license etc.

Regards,

Paweł

0 Kudos
Tomas_Vobruba
Employee
Employee

Hi,

 

there it is a way. 

 

One way is this oneliner, already published.

https://community.checkpoint.com/t5/Remote-Access-Solutions/One-liner-for-Remote-Access-VPN-Statisti...

 

Edit note: source code of the oneliner was removed. instead ot that there is a link to article where is up-to-date version published.

 

 

Pawel_Szetela
Contributor

Hi,

Thanks for info.

I've found that oneliner, too. But still You cannot use it in reports or views.

For me SmartView/Reports is a big tool missing some core info ie. number of users in historical view.

The best way would be something like this (view from SmartDashboard -> Mobile Access tab):

Users.JPG

 

Regards,

Paweł

mythryll
Participant

If you just want the user count like on our case - I am on the client side btw, not a partner - you can either use Daniel Pearl's one liner mentioned below - in our case we just used the command "fw tab -t userc_users -s", this is the response one gets, I am hoping that amounts to the same thing:

 

http://www.mythryll.com/?p=1004 where we used the output from that command to create the graphs we needed (one of the two points you mentioned). Just let me clarify, we were not supposed to get the list of users (names) and duration of connection, as we were limited by GDPR, it was suggested to the upper management and rejected for those reasons specifically. Their only worry was indeed the VPN user count which to my understanding has nothing to do with the capacity of the infrastructure to service the users. The response we got was that it depends on VPN throughput, something also unavailable as a direct counter on our platform. We did know however that the platform limit was way beyond the VPN traffic we were servicing, It was just about delivering the graph.

Maybe there was a better way to do this, but we didn't find any after 3 days consulting and searching and over the weekend. Feel free to use this approach or any other or disregard it entirely. I am not rooting for it over anything else, just sharing it.

0 Kudos
Eitan_H
Explorer

Hi,

Is any update related? I would like to have this one ASAP/

0 Kudos
kadar
Participant

Great post!

 

My issue is that in the Traffic column of the report we only see 0bytes of traffic.

Any ideas why this might be happening? Unfortunately we see this for any kind of report.

 

 

0 Kudos
kadar
Participant

Got it!

It seems that we haven't enabled accounting on our rules. So I guess this is the problem...

0 Kudos
Peter_Elmer
Employee
Employee
Maxat_Akbergeno
Explorer


Colleagues, hello!
Thank you for the great template!
I had the following task:
Get a report on user remote work
Blade: Mobile Access
1. User login;
2. Connection / disconnection time;
3. Duration of work;
4. The volume of traffic during the user's work;
5. Which internal servers had the most access;
6. Schedule of user activity by day (can be as general or for each user).
Please tell me whether it is possible to make such a template?
Thanks.

0 Kudos
PhoneBoy
Admin
Admin
The problem is that we don't always know when a user disconnected.
This is because the client doesn't always tell us when it disconnects (e.g. because of Internet or other issues).
Please also check Peter Elmer's report linked above to see if it gets you closer.
Also, make sure all relevant rules are logging by Session as shown in this post.
0 Kudos
priyankar
Explorer

What is Action:Update event do in VPN report?

0 Kudos
Tomas_Vobruba
Employee
Employee

Or the user simply close laptop and does not disconnect...

0 Kudos
henryck
Participant

Thanks for this.

Has anyone found a way to run the one liner that produces real time MAB connections?

I am not able to create cron job to run it unfortunately..

echo; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; else echo ' REMOTE ACCESS VPN STATS'; printf '%.s-' {1..68}; echo; function f { fw tab -t $1 -s | tail -n1 | awk '{print "\033[0;32m"$4"\033[0m (Peak: "$5")"}'; }; tput bold; echo -n " Assigned OfficeMode IPs : "; f "om_assigned_ips"; tput bold; echo -n " Endpoint Connect Users  : "; echo `f "userc_users"` using Visitor Mode: `vpn show_tcpt 2>/dev/null | tail -n1 | rev | awk '{print $1}' | rev | tr -s 'Mode:' '0'`; tput bold; echo -n " MAB Portal Users        : "; f "cvpn_session"; tput bold; echo -n " L2TP Users              : "; f "L2TP_tunnels"; tput bold; echo -n " SNX Users               : "; f "sslt_om_ip_params"; echo; echo ' LICENSES'; printf '%.s-' {1..68}; tput bold; echo; l=`cplic print -p 2>/dev/null | tr ' ' '\n'`; echo -n ' SecuRemote Users        : '; if [[ "$l" == *'srunlimited'* ]]; then echo Unlimited; else echo "$l" | grep fw1:6.0:sr | cut -c 11- | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' Endpoint Connect Users  : '; if [[ "$l" == *'spcunlimit'* ]]; then echo Unlimited; else echo "$l" | grep fw1:5.0:spc | cut -c 12- | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' Mobile Access Users     : '; if [[ "$l" == *'cvpnunlimited'* ]]; then echo Unlimited; else echo "$l" | grep cvpn:6.0:cvpn | cut -c 14- | tr -d 'user' | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' SNX Users               : '; if [[ "$l" == *'nxunlimit'* ]]; then echo Unlimited; else echo "$l" | grep fw1:6.0:nx | cut -c 11- | awk '{ sum += $1 } END { print sum }'; fi; tput sgr0; unset l; fi; echo

0 Kudos
Danny
Champion Champion
Champion

The latest version of that one-liner is maintained here.

To run it in a script or as a cron job you'll need to source the Check Point environment as described in the documentation.

0 Kudos
henryck
Participant
Thanks Danny - appreciate the guidance. I created the shell script on my gateway but setting up the cron job would not work, I could not see any issue with the syntax.

add cron job mab command "/tmp/remoteconnections.sh" recurrence daily 11:00

Any guidance on setting this up?
0 Kudos
PhoneBoy
Admin
Admin
Putting anything in /tmp is a bad idea since it will get deleted on reboot most likely.
I'd put the script in /home/admin or similar, for starters.
henryck
Participant
Fixed now. For those interested in my steps;
removed spaces from the .sh aside from last line
moved to admin (thanks PhoneBoy) and added execute;
validated with runuser -l admin /home/admin/remoteconnections.sh
0 Kudos
kadar2
Contributor

Hello all,

 

I have a question regarding the reports.

We do get information about the blades: firewall and Mobile Access, but any time we want a report about the VPN blade it returns "No data found".

Can anyone shed some light into this?

 

Thank you in advance,

0 Kudos
Eduardo_Pereira
Employee Alumnus
Employee Alumnus

Nice one! Imported this temaplte on R81 and it worked perfectly!

Thank you.

0 Kudos
priyankar
Explorer

What is the "Action: Update" event do in VPN report?

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events