Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Pearl

One-liner for Remote Access VPN Statistics

COVID-19 💊 We take care of your Remote Access VPN needs!
👩‍💻 Reviewed by RnD.
👍 Available as SmartConsole Extension.

One-liner (Bash) to show a summary about the remote access statistics of a VPN gateway.
Run in SmartConsole as one-time script or from your scripts repository or directly on your Gateway in expert mode:

echo; if [[ `if [[ $(cat /etc/cp-release) == *"Embed"* ]]; then grep 1 /opt/fw1/conf/active_blades.txt | tr '[:upper:]' '[:lower:]'; else enabled_blades 2>/dev/null; fi` != *'vpn'* ]]; then echo ' Not a VPN gateway!'; else echo ' REMOTE ACCESS VPN STATS - Current'; printf '%.s-' {1..70}; echo; function f { if [[ "$TERM" == "xterm" ]]; then fw tab -t $1 -s | tail -n1 | awk '{print "\033[0;32m"$4"\033[0m (Peak: "$5")"}'; else fw tab -t $1 -s | tail -n1 | awk '{print $4" (Peak: "$5")"}'; fi; }; function t { [ "$TERM" == "xterm" ] && tput bold; }; t; echo -n " Assigned OfficeMode IPs    : "; f "om_assigned_ips"; t; echo -n " Capsule/Endpoint VPN Users : "; echo `f "userc_users"` using Visitor Mode: `vpn show_tcpt 2>/dev/null | grep 'Visitor' | tail -n1 | awk '{print $NF}' | tr -s 'Mode:' '0'`; t; echo -n " Capsule Workspace Users    : "; f "mob_mail_session"; if [[ `cat /etc/cp-release` != *"Embed"* ]]; then t; echo -n " MAB Portal Users           : "; f "cvpn_session"; fi; t; echo -n " L2TP Users                 : "; f "L2TP_tunnels"; t; echo -n " SNX Users                  : "; f "sslt_om_ip_params"; echo; echo ' LICENSES'; printf '%.s-' {1..70}; t; echo; function s { awk '{ sum += $1 } END { print sum }'; }; function u { echo Unlimited; }; l=`cplic print -p 2>/dev/null | awk --re-interval 'BEGIN{today="date +%s"; today | getline today; } $1 ~ /([1-9][0-9]*\.?){4}/ {if ($2 != "never") {expdate=$2; cmd="date -d " expdate " +%s"; cmd | getline expdate; if (expdate>today) {print} } else {print}}' | tr ' ' '\n'`; echo -n ' SecuRemote Users           : '; if [[ "$l" == *'srunlimited'* ]]; then u; else echo "$l" | grep fw1:6.0:sr | cut -c 11- | s; fi; echo -n ' Endpoint Connect Users     : '; grep -a sc_users $FWDIR/database/fwauth.NDB | tr -dc '[:digit:]\n' | awk '{print $1/5}' | echo $(cat); echo -n ' Mobile Access Users        : '; if [[ "$l" == *'cvpnunlimited'* ]]; then u; else echo "$l" | grep cvpn:6.0:cvpn | cut -c 14- | tr -d 'user' | s; fi; echo -n ' SNX Users                  : '; if [[ "$l" == *'nxunlimit'* ]]; then u; else echo "$l" | grep fw1:6.0:nx | cut -c 11- | s; fi; [ "$TERM" == "xterm" ] && tput sgr0; unset l; fi; echo

image.pngimage.png

This One-liner is also integrated with our ccc script.

Thanks to @PhoneBoy for license macro information in this thread. [ VPN License Guide ]
Thanks to @HristoGrigorov for SMB support and testing.
Thanks to CheckMates for these Remote Access SmartEvent Reports: Basic, Enhanced, Application Monitoring, Custom User Stats

-- More one-liners --

One-liner for Address Spoofing Troubleshooting
One-liner to show VPN topology on gateways
One-liner to show Geo Policy on gateways
FW Monitor SuperTool

68 Replies
Highlighted
Platinum

This one-liner won't work on SMB appliances out of the box mainly because enabled_blades and rev commands are missing. To overcome this problem you need to run following two commands in expert mode:

echo "grep 1 /opt/fw1/conf/active_blades.txt |  awk '{printf \"%s \", tolower(\$1)} END {print \"\"}'" > /usr/bin/enabled_blades && chmod 755 /usr/bin/enabled_blades
echo "echo \$1 | awk '{ for(i=length;i!=0;i--)x=x substr(\$0,i,1);}END{print x}'" > /usr/bin/rev && chmod 755 /usr/bin/rev

Btw, mobile blade is not supported on SMB.

 

0 Kudos
Highlighted
Pearl

I just added SMB support to the one-liner, so your adjustments are not required anymore.

Highlighted
Platinum

Awesome work as usual Danny. 😉

On SMB you have two kind of VPN blades - VPN-RA and VPN-S2S. One-liner will match even if only S2S is enabled but I guess most of them usually have both blades enabled anyway... Yet if you want to be precise you should probably account for that 🤔

0 Kudos
Highlighted
Pearl

The one-liner checks for the VPN blade to make sure it's getting executed on the right type of gateway. Correct configuration of the VPN blade is up to the firewall admin. In case the admin doesn't get that right, the RAS-VPN user count will just show 0 as no RAS-VPN user will be able to connect.

0 Kudos
Highlighted
Iron

Brilliant @Danny  just what I needed.

0 Kudos
Highlighted
Pearl

You are welcome! 🙂

0 Kudos
Highlighted

Thanks for a really great script!!

One thing that I noticed though is that it doesn't seem to handle CPVP-VSC licenses.
I have multiple customers using these types of licenses that doesn't show up in the list.
There's sk98121 that describes how to check the current no. of seats that you have.
As far as I've been able to figure out the value for sc_users seems to be the amount of seats * 5, ie.
100 license = 500
400 license = 2000
5000 lic = 25000

Example:
[Expert@VS:3]# grep --binary-files=text sc_users fwauth.NDB
:sc_users (2000)
[Expert@VS:3]#

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 6 (Peak: 6)
Capsule/Endpoint VPN Users : 6 (Peak: 6) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 5000
Endpoint Connect Users :
Mobile Access Users : 5
SNX Users :


If you have the time to add the logic for those licenses as well that'd be great!

Thanks again!!

0 Kudos
Highlighted
Pearl

Thanks @MikaelJohnsson, I improved the code.

Highlighted
Employee+
Employee+

Great work Danny!

0 Kudos
Highlighted
Pearl

Thanks for all your kind comments! I'm glad this is of help for so many people. 😀

0 Kudos
Highlighted
Employee
Employee

Hi Danny!

Like everybody else, I agree that it is a fantastic job you have done with this One-Liner tool!

But have you reviewed @MikaelJohnsson above, and his concerns about the counter of licenses vs the amount that is supposedly installed?

I have tested on my environment, to install 3 x 100 SandBlast Agent (SecureClient/Endpoint Connect or whatever we want to call them) licenses, and when I run the command I get an output of 1500 licenses installed:

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 5000
Endpoint Connect Users : 1500
Mobile Access Users : Unlimited
SNX Users :

 

So, that beg to consider Mikaels "multiplicator" suggestion, but from my point of view the result should really be 300, as this is the amount of licenses I installed.

I assume that if I were to add another 100-license, the output would increase to 2000, which isn't correct.

Keep up the great work!

Cheers mate!

/Jonas

0 Kudos
Highlighted
Pearl

Thanks for the heads up. I improved the one-liner.

0 Kudos
Highlighted
Employee
Employee

Nice, works fine now 😀

 

REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 0 (Peak: 0)
Capsule/Endpoint VPN Users : 0 (Peak: 0) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 3 (Peak: 5)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 5000
Endpoint Connect Users : 300
Mobile Access Users : Unlimited
SNX Users :

0 Kudos
Highlighted
Platinum

Not good Danny, you broke SMB compatibility 😉

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 0
Endpoint Connect Users : grep: unrecognized option '--binary-files=text'
BusyBox v1.28.3 (2019-05-23 14:00:45 IDT) multi-call binary.

Usage: grep [-HhnlLoqvsriwFE] [-m N] [-A/B/C N] PATTERN/-e PATTERN.../-f FILE [FILE]...

 

0 Kudos
Highlighted
Pearl

Replaced it with the even shorter -a parameter which also works fine on SMB gateways. 😉

0 Kudos
Highlighted
Platinum

Yeah, well... it works on SMB but...

LICENSES
----------------------------------------------------------------------
SecuRemote Users : 0
Endpoint Connect Users : Mobile Access Users : 200  <== this line causes pain in my eyes 😁
SNX Users :

 

Need to inject new line before ' Mobile ... '

0 Kudos
Highlighted
Pearl

I'm here for your cure. 😃 Code improved. 💉

0 Kudos
Highlighted
Platinum

Perfect, beautiful, awesome! 😀

I took some execution time measurements on my 1470 toy:

real 0m0.654s
user 0m0.370s
sys 0m0.140s

0 Kudos
Highlighted

Great tool. Works fine even on VSX gateways. But only if I first change the context (using vsenv). Unfortunatelly I cannot add this vsenv to the script so that it could run from the repository. This command cannot be used in scripts?

Any ideas how to use it on a VSX gw?

0 Kudos
Highlighted
Pearl

As Check Point doesn't support (yet) to run scripts on virtual systems (VS) within SmartConsole you are looking for a way to circumvent this limitation by running the one-oneliner directly on the VSX object in SmartConsole. As far as I know this won't work.

grafik.png

However, I'm working on a SmartConsole Extension that will easily show all Remote Access VPN Statistics with a single click on any gateway, even VS. It's just a matter of time and support.

Highlighted
Employee
Employee

Great script man.

0 Kudos
Highlighted
Ivory

We have two clustered gateways with CPSB-MOB-200 and CPSB-MOB-200-HA license.

In our case One-liner shows total 410 Mobile Access Users licenses.

Licenses.png

I doubt wheter this is correct behaviour. Does this mean it's possible to have up to 410 simultaneous Mobile Access connections?

0 Kudos
Highlighted
Pearl

As per your description you have 205 MOB licenses for Mobile Access -> the bundled CPSB-MOB-5 + your purchased CPSB-MOB-200.

image.png

In your case the one-liner shows 410 instead of 205 MOB licences. That's twice the number you expect it to show. I just checked on my side and don't see this behaviour. Could you show us what cplic print -x and cplic print -p shows on your gateway?

0 Kudos
Highlighted
Ivory

Danny,

cplic print -x shows:

                                                                                                                                                       

 

Spoiler

    never              CPAP-SG460X-H                                                                                                                                                             A CPSB-FW-HA CPSM-C-2 CPSB-VPN-HA CPSB-NPM CPSB-LOGS CPSB-SSLVPN-200-HA CPSB-IA-                                                                                                                                                             HA CPSB-SSLVPN-5-HA CPSB-ADNC-HA CPSB-IPS-S1-HA CPSB-URLF-HA CPSB-APCL-HA CPSB-A                                                                                                                                                             V-HA CPSB-ABOT-S-HA CPSB-ASPM-HA CPSB-CTNT

    never              CPAP-SG460X-H                                                                                                                                                             A CPSB-FW-HA CPSM-C-2 CPSB-VPN-HA CPSB-NPM CPSB-LOGS CPSB-SSLVPN-200-HA CPSB-IA-                                                                                                                                                             HA CPSB-SSLVPN-5-HA CPSB-ADNC-HA CPSB-IPS-S1-HA CPSB-URLF-HA CPSB-APCL-HA CPSB-A                                                                                                                                                             V-HA CPSB-ABOT-S-HA CPSB-ASPM-HA CPSB-CTNT

 

cplic print -p shows:

 

Spoiler

     never       fw1:6.0:swb fw1:6.0:ctnt fw1:6.0:hfm fw1:6.0:swb fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:swb fw1:6.0:abot fw1:6.0:hfm fw1:6.0:swb fw1:6.0:av fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:appi fw1:6.0:hfm fw1:6.0:swb fw1:6.0:urlf fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:ipss1 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:cluster-1 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:hfm fw1:6.0:swb fw1:6.0:connect fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:hfm fw1:6.0:swb cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:hfm fw1:6.0:swb fw1:6.0:identity fw1:6.0:hfm fw1:6.0:swb cvpn:6.0:ccv100 cvpn:6.0:ccv100 cvpn:6.0:cvpn100users cvpn:6.0:cvpn100users fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:swb fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:cmd fw1:6.0:swb fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1 fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:ca fw1:6.0:cluster-u fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:ui fw1:6.0:filter fw1:6.0:fwc fw1:6.0:cmd fw1:6.0:hfm fw1:6.0:swb fw1:6.0:spcps fw1:6.0:pam fw1:6.0:enchostsunlimit fw1:6.0:encryption fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:blades fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote2 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm fw1:6.0:hostsunlimit fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:hfm fw1:6.0:blades fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sr500 fw1:6.0:hosts500 fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:mc_all_2 fw1:6.0:multicore

 

never       fw1:6.0:swb fw1:6.0:ctnt fw1:6.0:hfm fw1:6.0:swb fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:swb fw1:6.0:abot fw1:6.0:hfm fw1:6.0:swb fw1:6.0:av fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:appi fw1:6.0:hfm fw1:6.0:swb fw1:6.0:urlf fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:ipss1 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:cluster-1 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:hfm fw1:6.0:swb fw1:6.0:connect fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:hfm fw1:6.0:swb cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:hfm fw1:6.0:swb fw1:6.0:identity fw1:6.0:hfm fw1:6.0:swb cvpn:6.0:ccv100 cvpn:6.0:ccv100 cvpn:6.0:cvpn100users cvpn:6.0:cvpn100users fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:swb fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:cmd fw1:6.0:swb fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1 fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:ca fw1:6.0:cluster-u fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:ui fw1:6.0:filter fw1:6.0:fwc fw1:6.0:cmd fw1:6.0:hfm fw1:6.0:swb fw1:6.0:spcps fw1:6.0:pam fw1:6.0:enchostsunlimit fw1:6.0:encryption fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:blades fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote2 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm fw1:6.0:hostsunlimit fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:hfm fw1:6.0:blades fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sr500 fw1:6.0:hosts500 fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:mc_all_2 fw1:6.0:multicore

 

0 Kudos
Highlighted
Pearl

Looks like everything is attached twice on your gateway.

PS: We have a spoiler function on this forum so you can hide such long output behind a button.

0 Kudos
Highlighted

Hello, 

I have a question, In this moment I have a demo licence

Assigned Office Mode: 266

Capsule/Endpoint Users: 309

The client paid for 200 MOB-HA as say the guy, I could connect 410 users for MOB? 205 for gateway? 

And What the difference in asigned office mode address and capsule/endpoint VPN Users? This values dont should be the same?

 

0 Kudos
Highlighted

Hello, 

What is the difference between Office Mode IP assigned and Capsule/Endpoint VPN Users? 

I have now 37 Assigned OPffceMode IPs and 205 Endpoint vPN Users, the values dont should be the same? 

 

0 Kudos
Highlighted
Admin
Admin

FYI, I got a couple reports internally that the script might not be taking into account expiration dates of licenses, which might cause the license counts to be off, especially if you have multiple evals applied.
This should be in the cplic print -p output.
0 Kudos
Highlighted
Pearl

Thanks, I'll look into this.

0 Kudos
Highlighted
Admin
Admin

Suggested fix right for parsing cplic print output:

awk --re-interval 'BEGIN{today="date +%s"; today | getline today; } $1 ~ /([1-9][0-9]*\.?){4}/ {if ($2 != "never") {expdate=$2; cmd="date -d " expdate " +%s"; cmd | getline expdate; if (expdate>today) {print} } else {print}}'

0 Kudos