Re: Remote Access VPN Statistics - One-liner - Page 3

Danny

COVID-19 💊 We take care of your Remote Access VPN needs!
👩‍💻 Reviewed by RnD.
👍 Available as SmartConsole Extension.

One-liner (Bash) to show a summary about the remote access statistics of a VPN gateway.
Run in SmartConsole as one-time script or from your scripts repository or directly on your Gateway in expert mode:

echo; if [[ `if [[ $(cat /etc/cp-release) == *"Embed"* ]]; then grep 1 /opt/fw1/conf/active_blades.txt | tr '[:upper:]' '[:lower:]'; else enabled_blades 2>/dev/null; fi` != *'vpn'* ]]; then echo ' Not a VPN gateway!'; else echo ' REMOTE ACCESS VPN STATS - Current'; printf '%.s-' {1..70}; echo; function f { if [[ "$TERM" == "xterm" ]]; then fw tab -t $1 -s | tail -n1 | awk '{print "\033[0;32m"$4"\033[0m (Peak: "$5")"}'; else fw tab -t $1 -s | tail -n1 | awk '{print $4" (Peak: "$5")"}'; fi; }; function t { [ "$TERM" == "xterm" ] && tput bold; }; t; echo -n " Assigned OfficeMode IPs    : "; f "om_assigned_ips"; t; echo -n " Capsule/Endpoint VPN Users : "; echo `f "userc_users"` using Visitor Mode: `vpn show_tcpt 2>/dev/null | grep 'Visitor' | tail -n1 | awk '{print $NF}' | sed 's/Mode:/0/'`; t; echo -n " Capsule Workspace Users    : "; f "mob_mail_session"; if [[ `cat /etc/cp-release` != *"Embed"* ]]; then t; echo -n " MAB Portal Users           : "; f "cvpn_session"; fi; t; echo -n " L2TP Users                 : "; f "L2TP_tunnels"; t; echo -n " SNX Users                  : "; f "sslt_om_ip_params"; echo; echo ' LICENSES'; printf '%.s-' {1..70}; t; echo; function s { awk '{ sum += $1 } END { print sum }'; }; function u { echo Unlimited; }; l=`cplic print -p 2>/dev/null | awk --re-interval 'BEGIN{today="date +%s"; today | getline today; } $1 ~ /([1-9][0-9]*\.?){4}/ {if ($2 != "never") {expdate=$2; cmd="date -d " expdate " +%s"; cmd | getline expdate; if (expdate>today) {print} } else {print}}' | tr ' ' '\n'`; echo -n ' SecuRemote Users           : '; if [[ "$l" == *'srunlimited'* ]]; then u; else echo "$l" | grep fw1:6.0:sr | cut -c 11- | s; fi; echo -n ' Endpoint Connect Users     : '; grep -a sc_users $FWDIR/database/fwauth.NDB | tr -dc '[:digit:]\n' | awk '{print $1/5}' | echo $(cat); echo -n ' Mobile Access Users        : '; if [[ "$l" == *'cvpnunlimited'* ]]; then u; else echo "$l" | grep cvpn:6.0:cvpn | cut -c 14- | tr -d 'user' | s; fi; echo -n ' SNX Users                  : '; if [[ "$l" == *'nxunlimit'* ]]; then u; else echo "$l" | grep fw1:6.0:nx | cut -c 11- | s; fi; [ "$TERM" == "xterm" ] && tput sgr0; unset l; fi; echo

This One-liner is also integrated with our ccc script.

Thanks to @PhoneBoy for license macro information in this thread. [ VPN License Guide ]
Thanks to @HristoGrigorov for SMB support and testing.
Thanks to CheckMates for these Remote Access SmartEvent Reports: Basic, Enhanced, Application Monitoring, Custom User Stats

Danny · ‎2020-04-14

Thanks, I'll look into this.

PhoneBoy · ‎2020-04-15

Suggested fix right for parsing cplic print output:

awk --re-interval 'BEGIN{today="date +%s"; today | getline today; } $1 ~ /([1-9][0-9]*\.?){4}/ {if ($2 != "never") {expdate=$2; cmd="date -d " expdate " +%s"; cmd | getline expdate; if (expdate>today) {print} } else {print}}'

Danny · ‎2020-04-16

👍 Perfect. I tested it successfully and added it to the one-liner.

StephS · ‎2020-05-06

Awesome tool, @Danny! That's a very useful script.

Overall, it works as expected, but I've got a few difficulties understanding the meaning of the numbers. As I understand, the entry "Assigned Office Mode IPs" shows the number of all currently assigned remote access IPs which would mean the sum of Capsule/Endpoint VPN Users and SNX Users. For us, these numbers (sum of Capsule/Endpoint VPN Users and SNX Users vs. Assigned Office Mode IPs) don't match.

The same applies to the number of MAB Portal Users, which would in my opinion mean Capsule/Endpoint VPN Users, Capsule Workspace Users, SNX Users and all users that use the portal without connecting to the SNX.

Another point is the peak score. Our peak score for SNX users for example increases from time to time without the peak being hit within this time (verified with cron job).

Do you have any advice what might be the reason for this behavior?

Danny · ‎2020-05-06

Hi @StephS ,

you wrote: As I understand, the entry "Assigned Office Mode IPs" shows the number of all currently assigned remote access IPs

It shows how many IP addresses have been assigned from the Office Mode IP pool within your configured lease time (Default: 60 minutes).

Our peak score for SNX users increases .. without the peak being hit .. (verified with cron job).

May I ask how you exactly verify the peak levels via cronjob? My one-liner does no calculation at this point, it just formats the original numbers that are returned by Check Points commands so you might want to open a ticket with TAC to consult on the origin of the peak levels.

cdg_soportevip_ · ‎2020-05-07

Why using the old script I can see users using Visitor Mode and why using the current script the numbers of users using Visitor Mode is 0.

The old script: [...]using Visitor Mode: `vpn show_tcpt 2>/dev/null | tail -n1 | rev | awk [...]

The curren script:using Visitor Mode: `vpn show_tcpt 2>/dev/null | grep 'Visitor Mode' | tail -n1 | awk '

Thanks!

Danny · ‎2020-05-07

Please post the last line of the command: vpn show_tcpt

cdg_soportevip_ · ‎2020-05-07

[Expert@NHVSXGW01:1]# vpn show_tcpt
Showing all users connected in Visitor Mode:
[...]
Total number of users: 930, SNX users : 119, Visitor mode users: 191

Danny · ‎2020-05-07

Thanks, I fixed the code.

StephS · ‎2020-05-07

We scheduled a cron job which runs every minute, executes your script and writes the output into a file. We then looked out for the entry when the peak changed and saw that the number of users by far didn't match the peak.

Joshua · ‎2020-05-25

This is so great.
And you made a Smart Console Extension based on it.
Brilliant!

Garrett_DirSec · ‎2020-10-15

Hello @Danny and @phoneboy --

We recently ran this on R80.40 smartconsole and MOB displayed as "205" available sessions. The customer has MOB-200 license. I know CP appliances come with MOB-5.

However, I am also aware that MOB licensing in not additive. you can't add two MOB-200 on cluster and get 400 supported sessions. Similarly, I doubt that MOB-200 and MOB-5 add together to provide 205 user sessions.

The gateway container license:

"CPAP-SG660X CPSM-C-2 CPSB-FW CPSG-C-4-U CPSG-C-2-U CPSB-VPN CPSB-NPM CPSB-LOGS CPSB-SSLVPN-200 CPSB-IA CPSB-SSLVPN-5 CPSB-ADNC CPSB-IPS CPSB-URLF CPSB-APCL CPSB-AV CPSB-ABOT-M CPSB-ASPM CPSB-CTNT ...xxx"

not a big deal but wanted to raise the topic. thx.

PhoneBoy · ‎2020-10-15

Two possible explanations:

The licenses function additively "under the hood" (though we don't license it/support it that way)
There is some overage allowed in the license (which I know we did have previously)

nflnetwork29 · ‎2020-11-04

hi there i ran the one liner on out 1500 smb gateway and the licenses section does output correctly. this is centrally managed gateway.

Check Point's 1550 Appliance R80.20.10 - Build 365

here is the output:

 REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
 Assigned OfficeMode IPs    : 4 (Peak: 7)
 Capsule/Endpoint VPN Users : 4 (Peak: 8 ) using Visitor Mode: 1
 Capsule Workspace Users    : 0 (Peak: 0)
 L2TP Users                 : 0 (Peak: 0)
 SNX Users                  : 0 (Peak: 0)

 LICENSES
----------------------------------------------------------------------
awk: unrecognized option '--re-interval'
BusyBox v1.28.3 (2020-01-13 11:34:59 IST) multi-call binary.

Usage: awk [OPTIONS] [AWK_PROGRAM] [FILE]...

        -v VAR=VAL      Set variable
        -F SEP          Use SEP as field separator
        -f FILE         Read program from FILE
        -e AWK_PROGRAM
 SecuRemote Users           :
 Endpoint Connect Users     :
 Mobile Access Users        :
 SNX Users                  :

PhoneBoy · ‎2020-11-04

It’s possible this needs to be refactored for SMB appliances (at least the 1500s).
awk syntax appears to be different.

StephS · ‎2021-02-09

Hi @Danny,

we discovered a minor bug in the output of the script. Every time the number of Visitor Mode Users hits 100, the script output ("using Visitor Mode:") just shows 10 instead of 100. When the number gets to 101 (and every other number we experienced so far), it is printed out correctly. Do you know where this comes from?

Danny · ‎2021-02-09

Great find! I found the root cause and improved the code.

StephS · ‎2021-02-09

Thx, Danny!

We tested the new code and it worked!

mihairauta · ‎2024-04-02

Hi Danny,

Unfortunately, starting from R81 getline is missing and the script is not able to fetch the VPN licenses anymore.

Danny · ‎2024-04-03

R81 is quite old. This script is working for me on R81, R81.10 and R81.20.
Please provide more information.

jaimej · ‎2023-07-27

Hi, Could I use this one liner within a VS to get the VPN RA information?

Filters

Sort By

Categories

Remote Access VPN Statistics - One-liner

Disclaimer: Check Point does not provide maintenance services or technical or customer support for third party content provided on this Site, including in CheckMates Toolbox. See also our Third Party Software Disclaimer.