Solved: VPN information different for CLI vs GUI - why?

Scott_Perry1 · ‎2020-03-20

Hello all,

I've posted about some of this before. this time I am having challenges with the various ways that Check Point displays VPN users.

From the CLI running 'fw tab -t userc_users -s' I see I have 290 users connected. (CLI screenshot attached).

From the GUI, I right click on the firewall I am looking for details on, select Monitoring, then accessing IPSec VPN, clicking the carrot to expand that I see I have 452 users connected (GUI screenshot attached).

I am trying to reconcile how many current VPN users I have connected. The CLI compared to the GUI show different figures.

Some questions for Check Point:

1. Which answer is correct?

2. Is there a better (AND more reliable) method to find the accurate number of VPN users connected to my gateway?

3. Why is it so difficult to figure out how many VPN Users are connected currently (poke poke developers)?

4. How do I see the bandwidh being taken up by the VPN users so we can gauge the need to add additional bandwidth?

5. What CLI command feeds the GUI list of IPSec VPN users?

Thank you all for your responses, I appreciate it.

Scott

Danny · ‎2020-03-20

1. Which answer is correct?

The CLI info is correct. Check Point confirmed the Monitoring info has a visual glitch.

2. Is there a better (AND more reliable) method to find the accurate number of VPN users connected to my gateway?

Simply use my One-liner for Remote Access VPN statistics and run it on your VPN gateways.

3. Why is it so difficult to figure out how many VPN Users are connected currently (poke poke developers)?

It's not. See my answer for 2.

4. How do I see the bandwidh being taken up by the VPN users so we can gauge the need to add additional bandwidth?

Just enable monitoring of bandwidth data on your gateway and run the VPN history report after data has been collected.

5. What CLI command feeds the GUI list of IPSec VPN users?

Just use the -f parameter instead of -s on all the fw tab -t commands used within my One-liner in 2.

View solution in original post

Danny · ‎2020-03-20

1. Which answer is correct?

The CLI info is correct. Check Point confirmed the Monitoring info has a visual glitch.

2. Is there a better (AND more reliable) method to find the accurate number of VPN users connected to my gateway?

Simply use my One-liner for Remote Access VPN statistics and run it on your VPN gateways.

3. Why is it so difficult to figure out how many VPN Users are connected currently (poke poke developers)?

It's not. See my answer for 2.

4. How do I see the bandwidh being taken up by the VPN users so we can gauge the need to add additional bandwidth?

Just enable monitoring of bandwidth data on your gateway and run the VPN history report after data has been collected.

5. What CLI command feeds the GUI list of IPSec VPN users?

Just use the -f parameter instead of -s on all the fw tab -t commands used within my One-liner in 2.

Scott_Perry1 · ‎2020-03-23

thank you Danny, that is exactly what I have been looking for. Awesome!!!

PhoneBoy · ‎2020-03-21

Please open a TAC case on the visual error.
As Danny noted below, the CLI is more correct.

Scott_Perry1 · ‎2020-03-23

Thank you PhoneBoy, I will do just that.

Are you a member of CheckMates?

VPN information different for CLI vs GUI - why?