- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
COVID-19 💊 We take care of your Remote Access VPN needs!
👩💻 Reviewed by RnD.
👍 Available as SmartConsole Extension.
One-liner (Bash) to show a summary about the remote access statistics of a VPN gateway.
Run in SmartConsole as one-time script or from your scripts repository or directly on your Gateway in expert mode:
echo; if [[ `if [[ $(cat /etc/cp-release) == *"Embed"* ]]; then grep 1 /opt/fw1/conf/active_blades.txt | tr '[:upper:]' '[:lower:]'; else enabled_blades 2>/dev/null; fi` != *'vpn'* ]]; then echo ' Not a VPN gateway!'; else echo ' REMOTE ACCESS VPN STATS - Current'; printf '%.s-' {1..70}; echo; function f { if [[ "$TERM" == "xterm" ]]; then fw tab -t $1 -s | tail -n1 | awk '{print "\033[0;32m"$4"\033[0m (Peak: "$5")"}'; else fw tab -t $1 -s | tail -n1 | awk '{print $4" (Peak: "$5")"}'; fi; }; function t { [ "$TERM" == "xterm" ] && tput bold; }; t; echo -n " Assigned OfficeMode IPs : "; f "om_assigned_ips"; t; echo -n " Capsule/Endpoint VPN Users : "; echo `f "userc_users"` using Visitor Mode: `vpn show_tcpt 2>/dev/null | grep 'Visitor' | tail -n1 | awk '{print $NF}' | sed 's/Mode:/0/'`; t; echo -n " Capsule Workspace Users : "; f "mob_mail_session"; if [[ `cat /etc/cp-release` != *"Embed"* ]]; then t; echo -n " MAB Portal Users : "; f "cvpn_session"; fi; t; echo -n " L2TP Users : "; f "L2TP_tunnels"; t; echo -n " SNX Users : "; f "sslt_om_ip_params"; echo; echo ' LICENSES'; printf '%.s-' {1..70}; t; echo; function s { awk '{ sum += $1 } END { print sum }'; }; function u { echo Unlimited; }; l=`cplic print -p 2>/dev/null | awk --re-interval 'BEGIN{today="date +%s"; today | getline today; } $1 ~ /([1-9][0-9]*\.?){4}/ {if ($2 != "never") {expdate=$2; cmd="date -d " expdate " +%s"; cmd | getline expdate; if (expdate>today) {print} } else {print}}' | tr ' ' '\n'`; echo -n ' SecuRemote Users : '; if [[ "$l" == *'srunlimited'* ]]; then u; else echo "$l" | grep fw1:6.0:sr | cut -c 11- | s; fi; echo -n ' Endpoint Connect Users : '; grep -a sc_users $FWDIR/database/fwauth.NDB | tr -dc '[:digit:]\n' | awk '{print $1/5}' | echo $(cat); echo -n ' Mobile Access Users : '; if [[ "$l" == *'cvpnunlimited'* ]]; then u; else echo "$l" | grep cvpn:6.0:cvpn | cut -c 14- | tr -d 'user' | s; fi; echo -n ' SNX Users : '; if [[ "$l" == *'nxunlimit'* ]]; then u; else echo "$l" | grep fw1:6.0:nx | cut -c 11- | s; fi; [ "$TERM" == "xterm" ] && tput sgr0; unset l; fi; echo
This One-liner is also integrated with our ccc script.
Thanks to @PhoneBoy for license macro information in this thread. [ VPN License Guide ]
Thanks to @HristoGrigorov for SMB support and testing.
Thanks to CheckMates for these Remote Access SmartEvent Reports: Basic, Enhanced, Application Monitoring, Custom User Stats
COVID-19
💊 We take care of your Remote Access VPN needs!
👩💻 Reviewed by RnD.
👍 Available as SmartConsole Extension.
One-liner (Bash) to show a summary about the remote access statistics of a VPN gateway.
Run in SmartConsole as one-time script or from your scripts repository or directly on your Gateway in expert mode:
echo; if [[ `if [[ $(cat /etc/cp-release) == *"Embed"* ]]; then grep 1 /opt/fw1/conf/active_blades.txt | tr '[:upper:]' '[:lower:]'; else e
This one-liner won't work on SMB appliances out of the box mainly because enabled_blades and rev commands are missing. To overcome this problem you need to run following two commands in expert mode:
echo "grep 1 /opt/fw1/conf/active_blades.txt | awk '{printf \"%s \", tolower(\$1)} END {print \"\"}'" > /usr/bin/enabled_blades && chmod 755 /usr/bin/enabled_blades
echo "echo \$1 | awk '{ for(i=length;i!=0;i--)x=x substr(\$0,i,1);}END{print x}'" > /usr/bin/rev && chmod 755 /usr/bin/rev
Btw, mobile blade is not supported on SMB.
This one-liner won't work on SMB appliances out of the box mainly because enabled_blades and rev commands are missing. To overcome this problem you need to run following two commands in expert mode:
echo "grep 1 /opt/fw1/conf/active_blades.txt | awk '{printf \"%s \", tolower(\$1)} END {print \"\"}'" > /usr/bin/enabled_blades && chmod 755 /usr/bin/enabled_blades
echo "echo \$1 | awk '{ for(i=length;i!=0;i--)x=x substr(\$0,i,1);}END{print x}'" > /usr/bin/rev && chmod 755 /us
...;
Awesome work as usual Danny. 😉
On SMB you have two kind of VPN blades - VPN-RA and VPN-S2S. One-liner will match even if only S2S is enabled but I guess most of them usually have both blades enabled anyway... Yet if you want to be precise you should probably account for that 🤔
Awesome work as usual Danny. 😉
On SMB you have two kind of VPN blades - VPN-RA and VPN-S2S. One-liner will match even if only S2S is enabled but I guess most of them usually have both blades enabled anyway... Yet if you want to be precise you should probably account for that 🤔
;The one-liner checks for the VPN blade to make sure it's getting executed on the right type of gateway. Correct configuration of the VPN blade is up to the firewall admin. In case the admin doesn't get that right, the RAS-VPN user count will just show 0 as no RAS-VPN user will be able to connect.
The one-liner checks for the VPN blade to make sure it's getting executed on the right type of gateway. Correct configuration of the VPN blade is up to the firewall admin. In case the admin doesn't get that right, the RAS-VPN user count will just show 0 as no RAS-VPN user will be able to connect.
;Thanks for a really great script!!
One thing that I noticed though is that it doesn't seem to handle CPVP-VSC licenses.
I have multiple customers using these types of licenses that doesn't show up in the list.
There's sk98121 that describes how to check the current no. of seats that you have.
As far as I've been able to figure out the value for sc_users seems to be the amount of seats * 5, ie.
100 license = 500
400 license = 2000
5000 lic = 25000
Example:
[Expert@VS:3]# grep --binary-files=text sc_users fwauth.NDB
:sc_users (2000)
[Expert@VS:3]#
REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 6 (Peak: 6)
Capsule/Endpoint VPN Users : 6 (Peak: 6) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 0 (Peak: 0)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 5000
Endpoint Connect Users :
Mobile Access Users : 5
SNX Users :
If you have the time to add the logic for those licenses as well that'd be great!
Thanks again!!
Thanks for a really great script!!
One thing that I noticed though is that it doesn't seem to handle CPVP-VSC licenses.
I have multiple customers using these types of licenses that doesn't show up in the list.
There's sk98121 that describes how to check the current no. of seats that you have.
As far as I've been able to figure out the value for sc_users seems to be the amount of seats * 5, ie.
100 license = 500
400 license = 2000
5000 lic = 25000
Example:
[Expert@VS:3]# grep --binary-files=t
Thanks @MikaelJohnsson, I improved the code.
Hi Danny!
Like everybody else, I agree that it is a fantastic job you have done with this One-Liner tool!
But have you reviewed @MikaelJohnsson above, and his concerns about the counter of licenses vs the amount that is supposedly installed?
I have tested on my environment, to install 3 x 100 SandBlast Agent (SecureClient/Endpoint Connect or whatever we want to call them) licenses, and when I run the command I get an output of 1500 licenses installed:
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 5000
Endpoint Connect Users : 1500
Mobile Access Users : Unlimited
SNX Users :
So, that beg to consider Mikaels "multiplicator" suggestion, but from my point of view the result should really be 300, as this is the amount of licenses I installed.
I assume that if I were to add another 100-license, the output would increase to 2000, which isn't correct.
Keep up the great work!
Cheers mate!
/Jonas
Hi Danny!
Like everybody else, I agree that it is a fantastic job you have done with this One-Liner tool!
But have you reviewed @MikaelJohnsson above, and his concerns about the counter of licenses vs the amount that is supposedly installed?
I have tested on my environment, to install 3 x 100 SandBlast Agent (SecureClient/Endpoint Connect or whatever we want to call them) licenses, and when I run the command I get an output of 1500 licenses installed:
LICENSES
-------------
Nice, works fine now 😀
REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 0 (Peak: 0)
Capsule/Endpoint VPN Users : 0 (Peak: 0) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 3 (Peak: 5)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 5000
Endpoint Connect Users : 300
Mobile Access Users : Unlimited
SNX Users :
Nice, works fine now 😀
REMOTE ACCESS VPN STATS - Current
----------------------------------------------------------------------
Assigned OfficeMode IPs : 0 (Peak: 0)
Capsule/Endpoint VPN Users : 0 (Peak: 0) using Visitor Mode: 0
Capsule Workspace Users : 0 (Peak: 0)
MAB Portal Users : 3 (Peak: 5)
L2TP Users : 0 (Peak: 0)
SNX Users : 0 (Peak: 0)
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 5000
Endpoint Connect Users : 300
Mobile A
Not good Danny, you broke SMB compatibility 😉
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 0
Endpoint Connect Users : grep: unrecognized option '--binary-files=text'
BusyBox v1.28.3 (2019-05-23 14:00:45 IDT) multi-call binary.
Usage: grep [-HhnlLoqvsriwFE] [-m N] [-A/B/C N] PATTERN/-e PATTERN.../-f FILE [FILE]...
Not good Danny, you broke SMB compatibility 😉
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 0
Endpoint Connect Users : grep: unrecognized option '--binary-files=text'
BusyBox v1.28.3 (2019-05-23 14:00:45 IDT) multi-call binary.
Usage: grep [-HhnlLoqvsriwFE] [-m N] [-A/B/C N] PATTERN/-e PATTERN.../-f FILE [FILE]...
;
Yeah, well... it works on SMB but...
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 0
Endpoint Connect Users : Mobile Access Users : 200 <== this line causes pain in my eyes 😁
SNX Users :
Need to inject new line before ' Mobile ... '
Yeah, well... it works on SMB but...
LICENSES
----------------------------------------------------------------------
SecuRemote Users : 0
Endpoint Connect Users : Mobile Access Users : 200 <== this line causes pain in my eyes
😁
SNX Users :
Need to inject new line before ' Mobile ... '
;Perfect, beautiful, awesome! 😀
I took some execution time measurements on my 1470 toy:
real 0m0.654s
user 0m0.370s
sys 0m0.140s
Great tool. Works fine even on VSX gateways. But only if I first change the context (using vsenv). Unfortunatelly I cannot add this vsenv to the script so that it could run from the repository. This command cannot be used in scripts?
Any ideas how to use it on a VSX gw?
Great tool. Works fine even on VSX gateways. But only if I first change the context (using vsenv). Unfortunatelly I cannot add this vsenv to the script so that it could run from the repository. This command cannot be used in scripts?
Any ideas how to use it on a VSX gw?
;As Check Point doesn't support (yet) to run scripts on virtual systems (VS) within SmartConsole you are looking for a way to circumvent this limitation by running the one-oneliner directly on the VSX object in SmartConsole. As far as I know this won't work.
However, I'm working on a SmartConsole Extension that will easily show all Remote Access VPN Statistics with a single click on any gateway, even VS. It's just a matter of time and support.
As Check Point doesn't support (yet) to run scripts on virtual systems (VS) within SmartConsole you are looking for a way to circumvent this limitation by running the one-oneliner directly on the VSX object in SmartConsole. As far as I know this won't work.
However, I'm working on a SmartConsole Extension that will easily show all Remote Access VPN Statistics with a single click on any gateway, even VS. It's just a matter of time and support.
;We have two clustered gateways with CPSB-MOB-200 and CPSB-MOB-200-HA license.
In our case One-liner shows total 410 Mobile Access Users licenses.
I doubt wheter this is correct behaviour. Does this mean it's possible to have up to 410 simultaneous Mobile Access connections?
We have two clustered gateways with CPSB-MOB-200 and CPSB-MOB-200-HA license.
In our case One-liner shows total 410 Mobile Access Users licenses.
I doubt wheter this is correct behaviour. Does this mean it's possible to have up to 410 simultaneous Mobile Access connections?
;As per your description you have 205 MOB licenses for Mobile Access -> the bundled CPSB-MOB-5 + your purchased CPSB-MOB-200.
In your case the one-liner shows 410 instead of 205 MOB licences. That's twice the number you expect it to show. I just checked on my side and don't see this behaviour. Could you show us what cplic print -x and cplic print -p shows on your gateway?
As per your description you have 205 MOB licenses for Mobile Access -> the bundled CPSB-MOB-5 + your purchased CPSB-MOB-200.
In your case the one-liner shows 410 instead of 205 MOB licences. That's twice the number you expect it to show. I just checked on my side and don't see this behaviour. Could you show us what cplic print -x and cplic print -p shows on your gateway?
;Danny,
cplic print -x shows:
never CPAP-SG460X-H A CPSB-FW-HA CPSM-C-2 CPSB-VPN-HA CPSB-NPM CPSB-LOGS CPSB-SSLVPN-200-HA CPSB-IA- HA CPSB-SSLVPN-5-HA CPSB-ADNC-HA CPSB-IPS-S1-HA CPSB-URLF-HA CPSB-APCL-HA CPSB-A V-HA CPSB-ABOT-S-HA CPSB-ASPM-HA CPSB-CTNT
never CPAP-SG460X-H A CPSB-FW-HA CPSM-C-2 CPSB-VPN-HA CPSB-NPM CPSB-LOGS CPSB-SSLVPN-200-HA CPSB-IA- HA CPSB-SSLVPN-5-HA CPSB-ADNC-HA CPSB-IPS-S1-HA CPSB-URLF-HA CPSB-APCL-HA CPSB-A V-HA CPSB-ABOT-S-HA CPSB-ASPM-HA CPSB-CTNT
cplic print -p shows:
never fw1:6.0:swb fw1:6.0:ctnt fw1:6.0:hfm fw1:6.0:swb fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:swb fw1:6.0:abot fw1:6.0:hfm fw1:6.0:swb fw1:6.0:av fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:appi fw1:6.0:hfm fw1:6.0:swb fw1:6.0:urlf fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:ipss1 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:cluster-1 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:hfm fw1:6.0:swb fw1:6.0:connect fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:hfm fw1:6.0:swb cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:hfm fw1:6.0:swb fw1:6.0:identity fw1:6.0:hfm fw1:6.0:swb cvpn:6.0:ccv100 cvpn:6.0:ccv100 cvpn:6.0:cvpn100users cvpn:6.0:cvpn100users fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:swb fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:cmd fw1:6.0:swb fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1 fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:ca fw1:6.0:cluster-u fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:ui fw1:6.0:filter fw1:6.0:fwc fw1:6.0:cmd fw1:6.0:hfm fw1:6.0:swb fw1:6.0:spcps fw1:6.0:pam fw1:6.0:enchostsunlimit fw1:6.0:encryption fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:blades fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote2 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm fw1:6.0:hostsunlimit fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:hfm fw1:6.0:blades fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sr500 fw1:6.0:hosts500 fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:mc_all_2 fw1:6.0:multicore
never fw1:6.0:swb fw1:6.0:ctnt fw1:6.0:hfm fw1:6.0:swb fw1:6.0:aspm fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:swb fw1:6.0:abot fw1:6.0:hfm fw1:6.0:swb fw1:6.0:av fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:appi fw1:6.0:hfm fw1:6.0:swb fw1:6.0:urlf fw1:6.0:av1000 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:ipss1 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:cluster-1 fw1:6.0:cpls fw1:6.0:cluster-u fw1:6.0:mpu fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sxl_ppk fw1:6.0:hfm fw1:6.0:swb fw1:6.0:connect fw1:6.0:pam etm:6.0:fgcountunl etm:6.0:fg etm:6.0:tclog etm:6.0:fgvpn fw1:6.0:hfm fw1:6.0:swb cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:ccv1 cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users cvpn:6.0:cvpn1users fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:hfm fw1:6.0:swb fw1:6.0:identity fw1:6.0:hfm fw1:6.0:swb cvpn:6.0:ccv100 cvpn:6.0:ccv100 cvpn:6.0:cvpn100users cvpn:6.0:cvpn100users fw1:6.0:des fw1:6.0:strong fw1:6.0:encryption cvpn:6.0:cvpn fw1:6.0:swb fw1:6.0:fwc fw1:6.0:ca fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:cmd fw1:6.0:swb fw1:6.0:vpe_unlimit fw1:6.0:cluster-u fw1:6.0:remote1 fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:ca fw1:6.0:cluster-u fw1:6.0:dbvr_unlimit fw1:6.0:cmpmgmt fw1:6.0:rtmmgmt fw1:6.0:fgmgmt fw1:6.0:rtmui fw1:6.0:sstui fw1:6.0:fwlv fw1:6.0:ui fw1:6.0:filter fw1:6.0:fwc fw1:6.0:cmd fw1:6.0:hfm fw1:6.0:swb fw1:6.0:spcps fw1:6.0:pam fw1:6.0:enchostsunlimit fw1:6.0:encryption fw1:6.0:aes fw1:6.0:strong fw1:6.0:rdp fw1:6.0:des fw1:6.0:isakmp fw1:6.0:blades fw1:6.0:cpipv6 fw1:6.0:mgmtha fw1:6.0:remote2 fw1:6.0:hfm fw1:6.0:swb fw1:6.0:xlate fw1:6.0:auth fw1:6.0:content fw1:6.0:sync fw1:6.0:fm fw1:6.0:hostsunlimit fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:hfm fw1:6.0:blades fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sr500 fw1:6.0:hosts500 fw1:6.0:sxl_vpn fw1:6.0:sxl_fw fw1:6.0:sync fw1:6.0:fm fw1:6.0:mc_all_2 fw1:6.0:multicore
Looks like everything is attached twice on your gateway.
PS: We have a spoiler function on this forum so you can hide such long output behind a button.
Hello,
I have a question, In this moment I have a demo licence
Assigned Office Mode: 266
Capsule/Endpoint Users: 309
The client paid for 200 MOB-HA as say the guy, I could connect 410 users for MOB? 205 for gateway?
And What the difference in asigned office mode address and capsule/endpoint VPN Users? This values dont should be the same?
Hello,
I have a question, In this moment I have a demo licence
Assigned Office Mode: 266
Capsule/Endpoint Users: 309
The client paid for 200 MOB-HA as say the guy, I could connect 410 users for MOB? 205 for gateway?
And What the difference in asigned office mode address and capsule/endpoint VPN Users? This values dont should be the same?
;
Hello,
What is the difference between Office Mode IP assigned and Capsule/Endpoint VPN Users?
I have now 37 Assigned OPffceMode IPs and 205 Endpoint vPN Users, the values dont should be the same?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY