Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Remote Access VPN Statistics - One-liner

Danny
Champion Champion
Champion

COVID-19  💊 We take care of your Remote Access VPN needs!
👩‍💻 Reviewed by RnD.
👍 Available as SmartConsole Extension.

One-liner (Bash) to show a summary about the remote access statistics of a VPN gateway.
Run in SmartConsole as one-time script or from your scripts repository or directly on your Gateway in expert mode:


    echo; if [[ `if [[ $(cat /etc/cp-release) == *"Embed"* ]]; then grep 1 /opt/fw1/conf/active_blades.txt | tr '[:upper:]' '[:lower:]'; else e
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.




(2)
78 Replies

Danny
Champion Champion
Champion

Thanks, I'll look into this.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

PhoneBoy
Admin
Admin
Suggested fix right for parsing cplic print output:

awk --re-interval 'BEGIN{today="date +%s"; today | getline today; } $1 ~ /([1-9][0-9]*\.?){4}/ {if ($2 != "never") {expdate=$2; cmd="date -d " expdate " +%s"; cmd | getline expdate; if (expdate>today) {print} } else {print}}'

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

👍 Perfect. I tested it successfully and added it to the one-liner.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

StephS
Explorer

Awesome tool,  @Danny! That's a very useful script.

Overall, it works as expected, but I've got a few difficulties understanding the meaning of the numbers. As I understand, the entry "Assigned Office Mode IPs" shows the number of all currently assigned remote access IPs which would mean the sum of Capsule/Endpoint VPN Users and SNX Users. For us, these numbers (sum of Capsule/Endpoint VPN Users and SNX Users vs. Assigned Office Mode IPs) don't match.

The same applies to the number

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Hi  @StephS ,

you wrote: As I understand, the entry "Assigned Office Mode IPs" shows the number of all currently assigned remote access IPs

It shows how many IP addresses have been assigned from the Office Mode IP pool within your configured lease time (Default: 60 minutes).

Our peak score for SNX users increases .. without the peak being hit .. (verified with cron job).

May I ask how you exactly verify the peak levels via cronjob? My one-liner does no calculation at this p

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

cdg_soportevip_
Explorer
Why using the old script I can see users using Visitor Mode and why using the current script the numbers of users using Visitor Mode is 0.

The old script: [...]using Visitor Mode: `vpn show_tcpt 2>/dev/null | tail -n1 | rev | awk [...]

The curren script:using Visitor Mode: `vpn show_tcpt 2>/dev/null | grep 'Visitor Mode' | tail -n1 | awk '

Thanks! ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Please post the last line of the command: vpn show_tcpt

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

cdg_soportevip_
Explorer
[Expert@NHVSXGW01:1]# vpn show_tcpt
Showing all users connected in Visitor Mode:
[...]
Total number of users: 930, SNX users : 119, Visitor mode users: 191 ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Thanks, I fixed the code.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

StephS
Explorer

We scheduled a cron job which runs every minute, executes your script and writes the output into a file. We then looked out for the entry when the peak changed and saw that the number of users by far didn't match the peak.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Joshua
Contributor
This is so great.
And you made a Smart Console Extension based on it.
Brilliant! ;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Garrett_DirSec
Advisor

Hello @Danny and @phoneboy  --

We recently ran this on R80.40 smartconsole and MOB displayed as "205" available sessions.    The customer has MOB-200 license.    I know CP appliances come with MOB-5.  

However, I am also aware that MOB licensing in not additive.  you can't add two MOB-200 on cluster and get 400 supported sessions.  Similarly, I doubt that MOB-200 and MOB-5 add together to provide 205 user sessions.

The gateway container license:

"CPAP-SG660X CPSM-C-2 CPSB-FW C

...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

PhoneBoy
Admin
Admin

Two possible explanations:

  1. The licenses function additively "under the hood" (though we don't license it/support it that way)
  2. There is some overage allowed in the license (which I know we did have previously)
;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

nflnetwork29
Advisor

hi there i ran the one liner on out 1500 smb gateway and the licenses section does output correctly. this is centrally managed gateway. 

Check Point's 1550 Appliance R80.20.10 - Build 365

here is the output:

 

 

 

 

 


    REMOTE ACCESS VPN STATS - Current ---------------------------------------------------------------------- Assigned OfficeMode IPs : 4 (Peak: 7) Capsule/Endpoint VPN Users : 4 (Peak: 8 ) using Visitor Mode: 1 Capsule Workspace Users : 0 (Peak: 0) L2TP User
...;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

PhoneBoy
Admin
Admin

It’s possible this needs to be refactored for SMB appliances (at least the 1500s).
awk syntax appears to be different.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

StephS
Explorer

Hi  @Danny,

we discovered a minor bug in the output of the script. Every time the number of Visitor Mode Users hits 100, the script output ("using Visitor Mode:") just shows 10 instead of 100. When the number gets to 101 (and every other number we experienced so far), it is printed out correctly. Do you know where this comes from? 

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

Danny
Champion Champion
Champion

Great find! I found the root cause and improved the code.

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

StephS
Explorer

Thx, Danny!

We tested the new code and it worked!

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos

jaimej
Employee
Employee

Hi, Could I use this one liner within a VS to get the VPN RA information?

;
TO ACCESS CHECKMATES TOOLBOX it's simple and free


0 Kudos