Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Admin
Admin

Remote Access VPN - Short List of Most Useful Resources and Tools

In these turbulent times, with more and more people working from home, getting a grip on one's current situation with Remote Access is essential.

What is my license count? Do I have enough licenses for all my users? What are my options for Remote Access in the first place?

In this post, I take a liberty to list some of the most useful links for the matter. A more extensive FAQ is now available in sk166032. See also our Secure Remote Workforce During Covid-19 hub.

1. What are the Remote Access options with Check Point?

All Check Point Remote Access Solutions, present and legacy, are listed in this SecureKnowledge Article. In a nutshell, you can choose one or a combination of:

  • SSL VPN Portal for published business application
  • Layer-3 VPN Tunnel
  • Layer-3 VPN Tunnel integrated with Endpoint Security

For more information, please follow this link.

2. How do I get effective view concerning Remote Access usage?

You can cook your own reports and views, of course, but we have you covered. In this post @Tomas_Vobruba presents a custom SmartView dashboard covering the following:

  •  total time spend on VPN,
  •  transferred total bytes,
  • number of logs,
  • blade used,
  • login fails and realauth schemes,
  • and client used for connection (workspace, endpoint, snx, etc)

Tomas_Vobruba_0-1584651578068.png

 

Three other community-provided reports of interest.

 

Another option to get statistics is to use this one-liner script, courtesy of our champion @Danny 

danny.png

 

As well as a SmartConsole Extension showing similar information (also from @Danny)

vpnstat.png

3. Making sure you have enough licenses

With multiple tools and licenses used in parallel, you need to be sure you have enough capacity to serve your customers and clients. Assessing RA VPN licensing situation used to be a challenge. There are multiple SecureKnowledge articles for the matter: sk104644sk39034 and sk14496

Most probably, you will have to look into VPN tables to get information about usage:

Table

Output

fw tab -t om_assigned_ips -f

office mode users (including SNX and L2TP)

fw tab -t sslt_om_ip_params -f

SNX users

fw tab -t L2TP_tunnels -f

L2TP users

vpn show_tcpt

Will show the number of Office Mode users that are currently connected in Visitor Mode

fw tab -t cvpn_session

MAB users connected (not SNX just MAB portal)

 

However, there is an easier way, thanks to the community. To see both amount of connected users and license situation on a particular GW, use this fantastic script from one of our champions @HeikoAnkenbrand.

Screenshot 2020-03-20 at 14.30.30.png

 

4. I need more information: architecture, implementation, scaling, etc.

If you are looking for detailed guidance, please refer to our recently posted White Paper for the matter.

Screenshot 2020-03-20 at 18.38.04.png

5. Can I use Check Point baser Remote Access VPN on Linux?

The answer is yes. Here are two community posts about how to set up and use strongSwan (Roadwarrier) and Libreswan 3.23 with R80.30, both written by @Soeren_Rothe.

Feel free to add your questions and concerns in the comments, we will be happy to address them

6. Remote Access VPN Use - Custom Report

To help you out with keeping an eye on the increased RA VPN usage, we have created a custom Remote Access VPN usage report. You can download the files you need to use it from this post.

12 Replies
Champion
Champion

Admin
Admin

Well done putting this together!

Participant

Thanks for this very helpful script and post.

Participant

May you please assist on the issue that is in the link below

https://community.checkpoint.com/t5/Logging-and-Reporting/CRON-JOB-TO-SEND-LOGS-WITH-A-FREQUENCY-OF-...

Thanks in advance

0 Kudos
Reply

In the past days I have been working on a CLI script that can display all Secure Client license information centrally. This script creates a new command on the management server to read the Secure Client licenses. It displays all Secure Client licenses in total (sum). Furthermore, it can read out the currently used licenses on the gateway. If a connection to the gateway can be established, the following values are read out: Currently used Secure Client licenses and the maximum used Secure Client licenses.

If you execute the script via "copy and past" on the management server, a new CLI command "sclic" is created. Afterwards you can use this command to display all licenses in an overview. Please note that the execution of the new command may take a few seconds. This is a normal behaviour.

Now for following:
- Secure Client licenses
- Mobile Access Portal licenses
- SSLVPN licenses

More read here: R80.x - Mobile User License Tool - replaces "dtps lic" 

Here an example:
# sclic 10.0.0.1

Now all license parameters for Secure Client are displayed:

SC_Bild7.JPG

Admin
Admin

@HeikoAnkenbrand this is already mentioned above, even before you commented 🙂

0 Kudos
Reply

Now for following:
- Secure Client licenses
- Mobile Access Portal licenses
- SSLVPN licenses

Employee++
Employee++

0 Kudos
Reply
Admin
Admin

sk152132 basically says the "userc_users" table is the most accurate measure of connected users (which I believe is accounted for in @Danny 's scripts).

sk112412 has a command I haven't seen before: cvpnd_admin license all.
I would be curious people's experience with this command when MAB is and is not used.
And maybe @HeikoAnkenbrand@Danny, and others can incorporate this into the various contributed scripts.

0 Kudos
Reply
Champion
Champion

I stumbled upon sk112412 during my researches for the One-liner for Remote Access VPN Statistics and included the command in the latest version of ccc.

However, that command couldn't fully convince me yet to be included in my Remote Access VPN One-liner as it often results in errors like these:

image.png

0 Kudos
Reply
Participant

Do you guys have any documentation on how to customize the [SSL VPN Portal for published business application] piece?

Talking about colors, etc.....

At the gateway, so far the only places I could find some info that looks even close to customization are:

  • opt/CPcvpn-/htdocs/Login
  • opt/CPUserCheckPortal/htdocs/UserCheck
  • opt/CPshrd-/multiportal/httpd-conf

A Checkmates session on this would also be awesome.

 

Thanks

David

DAVIDULLOA_LOGO_Small.png

0 Kudos
Reply
Admin
Admin

I believe there will be more options with the Mobile Access Portal in R81.
But yes, you're on the right track for current customization options.
0 Kudos
Reply