Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
In these turbulent times, with more and more people working from home, getting a grip on one's current situation with Remote Access is essential.
What is my license count? Do I have enough licenses for all my users? What are my options for Remote Access in the first place?
In this post, I take a liberty to list some of the most useful links for the matter. A more extensive FAQ is now available in sk166032. See also our Secure Remote Workforce During Covid-19 hub.
1. What are the Remote Access options with Check Point?
All Check Point Remote Access Solutions, present and legacy, are listed in this SecureKnowledge Article. In a nutshell, you can choose one or a combination of:
-
SSL VPN Portal for published business application
-
Layer-3 VPN Tunnel
-
Layer-3 VPN Tunnel integrated with Endpoint Security
For more information, please follow this link.
2. How do I get effective view concerning Remote Access usage?
You can cook your own reports and views, of course, but we have you covered. In this post @Tomas_Vobruba presents a custom SmartView dashboard covering the following:
- total time spend on VPN,
- transferred total bytes,
- number of logs,
- blade used,
- login fails and realauth schemes,
- and client used for connection (workspace, endpoint, snx, etc)
Three other community-provided reports of interest.
- Monitoring Applications and Data Usage for Remote Access Sessions by @Peter_Elmer
- Custom View for Remote Access User Statistics by @Jacques_Spelier
- Remote Access VPN Report by @Mazhar_Hamayun
Another option to get statistics is to use this one-liner script, courtesy of our champion @Danny
As well as a SmartConsole Extension showing similar information (also from @Danny)
3. Making sure you have enough licenses
With multiple tools and licenses used in parallel, you need to be sure you have enough capacity to serve your customers and clients. Assessing RA VPN licensing situation used to be a challenge. There are multiple SecureKnowledge articles for the matter: sk104644, sk39034 and sk14496.
Most probably, you will have to look into VPN tables to get information about usage:
|
Table |
Output |
|
fw tab -t om_assigned_ips -f |
office mode users (including SNX and L2TP) |
|
fw tab -t sslt_om_ip_params -f |
SNX users |
|
fw tab -t L2TP_tunnels -f |
L2TP users |
|
vpn show_tcpt |
Will show the number of Office Mode users that are currently connected in Visitor Mode |
|
fw tab -t cvpn_session |
MAB users connected (not SNX just MAB portal) |
However, there is an easier way, thanks to the community. To see both amount of connected users and license situation on a particular GW, use this fantastic script from one of our champions @HeikoAnkenbrand.
4. I need more information: architecture, implementation, scaling, etc.
If you are looking for detailed guidance, please refer to our recently posted White Paper for the matter.
5. Can I use Check Point baser Remote Access VPN on Linux?
The answer is yes. Here are two community posts about how to set up and use strongSwan (Roadwarrier) and Libreswan 3.23 with R80.30, both written by @Soeren_Rothe.
Feel free to add your questions and concerns in the comments, we will be happy to address them
6. Remote Access VPN Use - Custom Report
To help you out with keeping an eye on the increased RA VPN usage, we have created a custom Remote Access VPN usage report. You can download the files you need to use it from this post.
In the past days I have been working on a CLI script that can display all Secure Client license information centrally. This script creates a new command on the management server to read the Secure Client licenses. It displays all Secure Client licenses in total (sum). Furthermore, it can read out the currently used licenses on the gateway. If a connection to the gateway can be established, the following values are read out: Currently used Secure Client licenses and the maximum used Secure Client licenses.
If you execute the script via "copy and past" on the management server, a new CLI command "sclic" is created. Afterwards you can use this command to display all licenses in an overview. Please note that the execution of the new command may take a few seconds. This is a normal behaviour.
Now for following:
- Secure Client licenses
- Mobile Access Portal licenses
- SSLVPN licenses
More read here: R80.x - Mobile User License Tool - replaces "dtps lic"
Here an example:
# sclic 10.0.0.1
Now all license parameters for Secure Client are displayed:
I stumbled upon sk112412 during my researches for the One-liner for Remote Access VPN Statistics and included the command in the latest version of ccc.
However, that command couldn't fully convince me yet to be included in my Remote Access VPN One-liner as it often results in errors like these:
Do you guys have any documentation on how to customize the [SSL VPN Portal for published business application] piece?
Talking about colors, etc.....
At the gateway, so far the only places I could find some info that looks even close to customization are:
- opt/CPcvpn-/htdocs/Login
- opt/CPUserCheckPortal/htdocs/UserCheck
- opt/CPshrd-/multiportal/httpd-conf
A Checkmates session on this would also be awesome.
Thanks
David
.png "Wolfgang"){kind=avatar}
