It is not so hard - this is taken from my post Remote Access Users license + count
The "old" RA VPN client licensing worked by counting client IPs (called "seats", CLI "dtps lic" on policy server), and the used licenses count showed the number of clients that did connect during the last 30 days. This is different with MAB licenses, they are defined as the number of concurrent clients; MAB even has five grace clients, so the maximum number of concurrent clients is the number of licenses plus five.
...
From sk39034: How to check the number of currently connected Remote Access users and sk14496: How to check the names of remote access users that have sent traffic through the Security G...
To see the number of currently connected Remote Access users, run this command (in Expert mode) on the VPN Security Gateway:
[Expert@HostName]# fw tab -t userc_users -s
To see the username of each "connected" remote access user (in the last 15 minutes), run this command (in Expert mode) on VPN Security Gateway:
[Expert@HostName]# fw tab -t userc_rules -f
You can also run the following command on the gateway, in order to see the number of OM IPs which are currently assigned by the gateway:
# fw tab -t om_assigned_ips -s
HOST NAME ID #VALS #PEAK #SLINKS localhost om_assigned_ips 372 1 1 0
The above output (#VALS=1 ) means currently one client is assigned an OM IP. This includes SNX users with OM IPs as well, who take up from a different license (MAB). In order to find out how many there are of those and subtract them to leave only IPsec VPN clients (i.e. SecureClient, Endpoint Security VPN, Endpoint Connect), check the following table:
# fw tab -t sslt_om_ip_params -s
HOST NAME ID #VALS #PEAK #SLINKS localhost sslt_om_ip_params 372 1 1 0
CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist