- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Why do Hackers Love IoT Devices so Much?
Join our TechTalk on Aug 17, at 5PM CET | 11AM EST
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi all,
I god lot of questions from my customers how to get some data about usage of Remote access VPN.
In these times with Corona issue many of the customers allowed HomeOffce and they would like to know who is really using, how and if they are using Remote VPN.
Since almost all of them are already using R80.10+ capabilities, it is quite easy to create such view.
In R80.30 and up is a default Remote VPN view.
I have change it to following lookout.:
As you can see. You will have:
- total time spend on VPN
- transferred total bytes.
- number of logs
- blade used
- client used for connection (workspace, endpoint, snx, etc)
- login fails and realauth schemes
To work it correctly you have to enable specific policy in SME:
Do not forget to install policy
Also for enhanced visibility you probably need to change remote access rules following logging:
If you would like to see only Office mode addresses and how only them are used, add the following filter in the highlighted widget from the first picture. (Change src network to your officemode network definition).
I'm looking forward for next enhancements. Report is attached in zip file to this article
Cheers Tomas
Good work. But I have to be honest. My clients want to know two things. How many people are connected right now (and they want updates that range from every 10 minutes to every hour) and they also want to know how long each user is connected. So number of logs and number of sessions, how much data, which blade, etc., are great because that's what you can easily pull in SE, but that's not what the people wanted in this crisis (at least the vast majority of the ones I've dealt with). They are more concerned with number of users currently on a specific GW and if they need to bounce some and have them connect to another and how long have they been connected.
I recommended things like cut down the connect time and have them re-authenticate to looking at total number of OM IPs used and in this time of crisis they have very specific wants and needs. Some of them are rational IMHO and some are not, but those were the two things everyone wanted. Literally everyone. And it seems to me that that ask was not out of the question. It was not possible to get easily from Check Point. I finally figured it out, but it took some time and was not point and click.
I had one customer that has a watch command running and every 10 minutes and he updates a spread sheet from 9 different gateways (every 10 minutes). Not too scalable. As with all crises we will learn lessons and grow stronger. I hope Check Point takes a good hard look at their C2S/RA reporting capabilities. Even with API scripting this was not possible as we all know.
Is there any way of getting total no.of vpn users who are connected currently in this view? its just showing logs at the moment
Very nice! Thank you!
The only issue for me is the duration column. It doesn't make much sense getting the sum of session duration field.
In the last 24 hours I get users that have a 484h duration. This happens because all my traffic is routed through the firewall.
For people with split tunnel, the duration might be low and they might think this is the connection duration, which is not true.
Good work. But I have to be honest. My clients want to know two things. How many people are connected right now (and they want updates that range from every 10 minutes to every hour) and they also want to know how long each user is connected. So number of logs and number of sessions, how much data, which blade, etc., are great because that's what you can easily pull in SE, but that's not what the people wanted in this crisis (at least the vast majority of the ones I've dealt with). They are more concerned with number of users currently on a specific GW and if they need to bounce some and have them connect to another and how long have they been connected.
I recommended things like cut down the connect time and have them re-authenticate to looking at total number of OM IPs used and in this time of crisis they have very specific wants and needs. Some of them are rational IMHO and some are not, but those were the two things everyone wanted. Literally everyone. And it seems to me that that ask was not out of the question. It was not possible to get easily from Check Point. I finally figured it out, but it took some time and was not point and click.
I had one customer that has a watch command running and every 10 minutes and he updates a spread sheet from 9 different gateways (every 10 minutes). Not too scalable. As with all crises we will learn lessons and grow stronger. I hope Check Point takes a good hard look at their C2S/RA reporting capabilities. Even with API scripting this was not possible as we all know.
Hi,
Good point. That's my case too. We have may users with Mobile Access, Mobile Access with SNX and VPN/Endpoint. There is no way to report how many unique users are connected using SmartView/Report in timeline. It would be useful to tell if this numbers are growing, if we need more license etc.
Regards,
Paweł
Hi,
there it is a way.
One way is this oneliner, already published.
Edit note: source code of the oneliner was removed. instead ot that there is a link to article where is up-to-date version published.
Hi,
Thanks for info.
I've found that oneliner, too. But still You cannot use it in reports or views.
For me SmartView/Reports is a big tool missing some core info ie. number of users in historical view.
The best way would be something like this (view from SmartDashboard -> Mobile Access tab):
Regards,
Paweł
If you just want the user count like on our case - I am on the client side btw, not a partner - you can either use Daniel Pearl's one liner mentioned below - in our case we just used the command "fw tab -t userc_users -s", this is the response one gets, I am hoping that amounts to the same thing:
http://www.mythryll.com/?p=1004 where we used the output from that command to create the graphs we needed (one of the two points you mentioned). Just let me clarify, we were not supposed to get the list of users (names) and duration of connection, as we were limited by GDPR, it was suggested to the upper management and rejected for those reasons specifically. Their only worry was indeed the VPN user count which to my understanding has nothing to do with the capacity of the infrastructure to service the users. The response we got was that it depends on VPN throughput, something also unavailable as a direct counter on our platform. We did know however that the platform limit was way beyond the VPN traffic we were servicing, It was just about delivering the graph.
Maybe there was a better way to do this, but we didn't find any after 3 days consulting and searching and over the weekend. Feel free to use this approach or any other or disregard it entirely. I am not rooting for it over anything else, just sharing it.
Great post!
My issue is that in the Traffic column of the report we only see 0bytes of traffic.
Any ideas why this might be happening? Unfortunately we see this for any kind of report.
Got it!
It seems that we haven't enabled accounting on our rules. So I guess this is the problem...
Colleagues, hello!
Thank you for the great template!
I had the following task:
Get a report on user remote work
Blade: Mobile Access
1. User login;
2. Connection / disconnection time;
3. Duration of work;
4. The volume of traffic during the user's work;
5. Which internal servers had the most access;
6. Schedule of user activity by day (can be as general or for each user).
Please tell me whether it is possible to make such a template?
Thanks.
Or the user simply close laptop and does not disconnect...
Thanks for this.
Has anyone found a way to run the one liner that produces real time MAB connections?
I am not able to create cron job to run it unfortunately..
echo; if [[ `$CPDIR/bin/cpprod_util FwIsFirewallModule 2>/dev/null` != *'1'* ]]; then echo ' Not a firewall gateway!'; else echo ' REMOTE ACCESS VPN STATS'; printf '%.s-' {1..68}; echo; function f { fw tab -t $1 -s | tail -n1 | awk '{print "\033[0;32m"$4"\033[0m (Peak: "$5")"}'; }; tput bold; echo -n " Assigned OfficeMode IPs : "; f "om_assigned_ips"; tput bold; echo -n " Endpoint Connect Users : "; echo `f "userc_users"` using Visitor Mode: `vpn show_tcpt 2>/dev/null | tail -n1 | rev | awk '{print $1}' | rev | tr -s 'Mode:' '0'`; tput bold; echo -n " MAB Portal Users : "; f "cvpn_session"; tput bold; echo -n " L2TP Users : "; f "L2TP_tunnels"; tput bold; echo -n " SNX Users : "; f "sslt_om_ip_params"; echo; echo ' LICENSES'; printf '%.s-' {1..68}; tput bold; echo; l=`cplic print -p 2>/dev/null | tr ' ' '\n'`; echo -n ' SecuRemote Users : '; if [[ "$l" == *'srunlimited'* ]]; then echo Unlimited; else echo "$l" | grep fw1:6.0:sr | cut -c 11- | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' Endpoint Connect Users : '; if [[ "$l" == *'spcunlimit'* ]]; then echo Unlimited; else echo "$l" | grep fw1:5.0:spc | cut -c 12- | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' Mobile Access Users : '; if [[ "$l" == *'cvpnunlimited'* ]]; then echo Unlimited; else echo "$l" | grep cvpn:6.0:cvpn | cut -c 14- | tr -d 'user' | awk '{ sum += $1 } END { print sum }'; fi; echo -n ' SNX Users : '; if [[ "$l" == *'nxunlimit'* ]]; then echo Unlimited; else echo "$l" | grep fw1:6.0:nx | cut -c 11- | awk '{ sum += $1 } END { print sum }'; fi; tput sgr0; unset l; fi; echo
The latest version of that one-liner is maintained here.
To run it in a script or as a cron job you'll need to source the Check Point environment as described in the documentation.
Hello all,
I have a question regarding the reports.
We do get information about the blades: firewall and Mobile Access, but any time we want a report about the VPN blade it returns "No data found".
Can anyone shed some light into this?
Thank you in advance,
Nice one! Imported this temaplte on R81 and it worked perfectly!
Thank you.
Excelent Tomas, very good tool, question: is possible to add the public IP address of the client side and get the assigned IP address?
Thanks very much
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY