- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: SmartView VPN Client enhanced view
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
SmartView VPN Client enhanced view
Hi all,
I god lot of questions from my customers how to get some data about usage of Remote access VPN.
In these times with Corona issue many of the customers allowed HomeOffce and they would like to know who is really using, how and if they are using Remote VPN.
Since almost all of them are already using R80.10+ capabilities, it is quite easy to create such view.
In R80.30 and up is a default Remote VPN view.
I have change it to following lookout.:
As you can see. You will have:
- total time spend on VPN
- transferred total bytes.
- number of logs
- blade used
- client used for connection (workspace, endpoint, snx, etc)
- login fails and realauth schemes
To work it correctly you have to enable specific policy in SME:
Do not forget to install policy
Also for enhanced visibility you probably need to change remote access rules following logging:
If you would like to see only Office mode addresses and how only them are used, add the following filter in the highlighted widget from the first picture. (Change src network to your officemode network definition).
I'm looking forward for next enhancements. Report is attached in zip file to this article
Cheers Tomas
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good work. But I have to be honest. My clients want to know two things. How many people are connected right now (and they want updates that range from every 10 minutes to every hour) and they also want to know how long each user is connected. So number of logs and number of sessions, how much data, which blade, etc., are great because that's what you can easily pull in SE, but that's not what the people wanted in this crisis (at least the vast majority of the ones I've dealt with). They are more concerned with number of users currently on a specific GW and if they need to bounce some and have them connect to another and how long have they been connected.
I recommended things like cut down the connect time and have them re-authenticate to looking at total number of OM IPs used and in this time of crisis they have very specific wants and needs. Some of them are rational IMHO and some are not, but those were the two things everyone wanted. Literally everyone. And it seems to me that that ask was not out of the question. It was not possible to get easily from Check Point. I finally figured it out, but it took some time and was not point and click.
I had one customer that has a watch command running and every 10 minutes and he updates a spread sheet from 9 different gateways (every 10 minutes). Not too scalable. As with all crises we will learn lessons and grow stronger. I hope Check Point takes a good hard look at their C2S/RA reporting capabilities. Even with API scripting this was not possible as we all know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there any way of getting total no.of vpn users who are connected currently in this view? its just showing logs at the moment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very nice! Thank you!
The only issue for me is the duration column. It doesn't make much sense getting the sum of session duration field.
In the last 24 hours I get users that have a 484h duration. This happens because all my traffic is routed through the firewall.
For people with split tunnel, the duration might be low and they might think this is the connection duration, which is not true.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For my purpose customer wanted to know every kind of traffic.
And yes, in this case, total time could be high.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Good work. But I have to be honest. My clients want to know two things. How many people are connected right now (and they want updates that range from every 10 minutes to every hour) and they also want to know how long each user is connected. So number of logs and number of sessions, how much data, which blade, etc., are great because that's what you can easily pull in SE, but that's not what the people wanted in this crisis (at least the vast majority of the ones I've dealt with). They are more concerned with number of users currently on a specific GW and if they need to bounce some and have them connect to another and how long have they been connected.
I recommended things like cut down the connect time and have them re-authenticate to looking at total number of OM IPs used and in this time of crisis they have very specific wants and needs. Some of them are rational IMHO and some are not, but those were the two things everyone wanted. Literally everyone. And it seems to me that that ask was not out of the question. It was not possible to get easily from Check Point. I finally figured it out, but it took some time and was not point and click.
I had one customer that has a watch command running and every 10 minutes and he updates a spread sheet from 9 different gateways (every 10 minutes). Not too scalable. As with all crises we will learn lessons and grow stronger. I hope Check Point takes a good hard look at their C2S/RA reporting capabilities. Even with API scripting this was not possible as we all know.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Good point. That's my case too. We have may users with Mobile Access, Mobile Access with SNX and VPN/Endpoint. There is no way to report how many unique users are connected using SmartView/Report in timeline. It would be useful to tell if this numbers are growing, if we need more license etc.
Regards,
Paweł
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
there it is a way.
One way is this oneliner, already published.
Edit note: source code of the oneliner was removed. instead ot that there is a link to article where is up-to-date version published.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks for info.
I've found that oneliner, too. But still You cannot use it in reports or views.
For me SmartView/Reports is a big tool missing some core info ie. number of users in historical view.
The best way would be something like this (view from SmartDashboard -> Mobile Access tab):
Regards,
Paweł
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you just want the user count like on our case - I am on the client side btw, not a partner - you can either use Daniel Pearl's one liner mentioned below - in our case we just used the command "fw tab -t userc_users -s", this is the response one gets, I am hoping that amounts to the same thing:
http://www.mythryll.com/?p=1004 where we used the output from that command to create the graphs we needed (one of the two points you mentioned). Just let me clarify, we were not supposed to get the list of users (names) and duration of connection, as we were limited by GDPR, it was suggested to the upper management and rejected for those reasons specifically. Their only worry was indeed the VPN user count which to my understanding has nothing to do with the capacity of the infrastructure to service the users. The response we got was that it depends on VPN throughput, something also unavailable as a direct counter on our platform. We did know however that the platform limit was way beyond the VPN traffic we were servicing, It was just about delivering the graph.
Maybe there was a better way to do this, but we didn't find any after 3 days consulting and searching and over the weekend. Feel free to use this approach or any other or disregard it entirely. I am not rooting for it over anything else, just sharing it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Is any update related? I would like to have this one ASAP/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Great post!
My issue is that in the Traffic column of the report we only see 0bytes of traffic.
Any ideas why this might be happening? Unfortunately we see this for any kind of report.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Got it!
It seems that we haven't enabled accounting on our rules. So I guess this is the problem...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Colleagues, hello!
Thank you for the great template!
I had the following task:
Get a report on user remote work
Blade: Mobile Access
1. User login;
2. Connection / disconnection time;
3. Duration of work;
4. The volume of traffic during the user's work;
5. Which internal servers had the most access;
6. Schedule of user activity by day (can be as general or for each user).
Please tell me whether it is possible to make such a template?
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is because the client doesn't always tell us when it disconnects (e.g. because of Internet or other issues).
Please also check Peter Elmer's report linked above to see if it gets you closer.
Also, make sure all relevant rules are logging by Session as shown in this post.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or the user simply close laptop and does not disconnect...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for this.
Has anyone found a way to run the one liner that produces real time MAB connections?
I am not able to create cron job to run it unfortunately..
echo; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; else echo ' REMOTE ACCESS VPN STATS'; printf '%.s-' {1..68}; echo; function f { fw tab -t $1 -s | tail -n1 | awk '{print "\033[0;32m"$4"\033[0m (Peak: "$5")"}'; }; tput bold; echo -n " Assigned OfficeMode IPs : "; f "om_assigned_ips"; tput bold; echo -n " Endpoint Connect Users : "; echo `f "userc_users"` using Visitor Mode: `vpn show_tcpt 2>/dev/null | tail -n1 | rev | awk '{print $1}' | rev | tr -s 'Mode:' '0'`; tput bold; echo -n " MAB Portal Users : "; f "cvpn_session"; tput bold; echo -n " L2TP Users : "; f "L2TP_tunnels"; tput bold; echo -n " SNX Users : "; f "sslt_om_ip_params"; echo; echo ' LICENSES'; printf '%.s-' {1..68}; tput bold; echo; l=`cplic print -p 2>/dev/null | tr ' ' '\n'`; echo -n ' SecuRemote Users : '; if [[ "$l" == *'srunlimited'* ]]; then echo Unlimited; else echo "$l" | grep fw1:6.0:sr | cut -c 11- | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' Endpoint Connect Users : '; if [[ "$l" == *'spcunlimit'* ]]; then echo Unlimited; else echo "$l" | grep fw1:5.0:spc | cut -c 12- | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' Mobile Access Users : '; if [[ "$l" == *'cvpnunlimited'* ]]; then echo Unlimited; else echo "$l" | grep cvpn:6.0:cvpn | cut -c 14- | tr -d 'user' | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' SNX Users : '; if [[ "$l" == *'nxunlimit'* ]]; then echo Unlimited; else echo "$l" | grep fw1:6.0:nx | cut -c 11- | awk '{ sum += $1 } END { print sum }'; fi; tput sgr0; unset l; fi; echo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The latest version of that one-liner is maintained here.
To run it in a script or as a cron job you'll need to source the Check Point environment as described in the documentation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
add cron job mab command "/tmp/remoteconnections.sh" recurrence daily 11:00
Any guidance on setting this up?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'd put the script in /home/admin or similar, for starters.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
removed spaces from the .sh aside from last line
moved to admin (thanks PhoneBoy) and added execute;
validated with runuser -l admin /home/admin/remoteconnections.sh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello all,
I have a question regarding the reports.
We do get information about the blades: firewall and Mobile Access, but any time we want a report about the VPN blade it returns "No data found".
Can anyone shed some light into this?
Thank you in advance,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Nice one! Imported this temaplte on R81 and it worked perfectly!
Thank you.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the "Action: Update" event do in VPN report?
