Monitoring Global Protect

Reply
L6 Presenter

Monitoring Global Protect

I'm currently in the process of migrating my company from AnyConnect to Global Protect on our 5220s.  I'm looking for your feedback on how you all "monitor" the VPN service?

 

When comparing the "dashboard" view of Cisco's ASDM I don't really see anything which can be loaded on the Palo "dashboard" tab.  It seems like the only real way is to look at "remote users" under your gateway config, but this doesn't really seem to provide a good "at a glance" kinda view.

 

So I'm looking to get some "this is how it worked for us" tips from the community.

 

Things I'm looking for are trends on connected users, top talkers, lists of users which might be trying to connect but are failing... et al.  (am I really going to have to try to sort through noisy system logs?  anyone have any good filters???)

 

Look forward to hearing everyone's feedback.

L7 Applicator

Re: Monitoring Global Protect

Nothing on the firewall GUI other than the Remote Users item you mention.

 

In CLI (and thus, using the API as well) you can grab the list:

show global-protect-gateway current-user

You can also restrict that command to a specific gateway, domain, or username.

 

System logs aren't great for what you want because you won't be able to easily tell which logs are no longer relevant. A user who logged in 5 minutes ago but logged out 3 minutes ago will still show up if you query all login events. If you query by both login and logout events, you'd have to sort those in a way that was unique to the user.

L6 Presenter

Re: Monitoring Global Protect

@gwesson Thanks for the reply.  Unfrotunately wasn't what I was hoping to hear.

 

Hopefully others have some suggestions on what has worked for them.  I have to say though I'm really surprised that there doesn't seem to be much in the way of a view into this service.

L6 Presenter

Re: Monitoring Global Protect

Yes the PA is missing some functionality here...

 

It can get messy so I have been relying on Syslog for my required information.

 

with simple scripts I can do the following...

 

report on department usage, individual use, group useage etc...

failed logins per day, week. month or year.

most connections, least connections and never connected.

I can also read through our list of 1500 IPad names (TAG) and report last connection, all connections or IPads that have not connected in the last 3 months. (these are returned to the pool).

 

and hundreds of other reports including source address, allocated IP..   and reason for failed connection.

 

probably of no use to anybody but my point is that this info is not easily available from the PA and saves hours connecting to each device, (each gateway is HA pair).

 

for instant updates on gateway connections I use as per @gwesson suggestion but via API.

this only shows current connections per gateway and updates every 10 seconds but clearly identifies busy periods..

 

Laters....

 

 

 

 

 

L7 Applicator

Re: Monitoring Global Protect

@Brandon_Wertz,

Personally I just created a script that pulls the gateways statistics and utilize the <CurrentUsers> value to keep track of how many users are connected to each gateway at any one time; and then have a weekly graph built out that can use the stored values to graph the average users per hour/day and such.  

I also collect the Previous-User information on the gateways to indicate where each user logged in from (more important on the BYOD gateway) and how long the user was actually connected, along with the reason the session was disconnected. This is kept mainly for logging reasons so that we can provide them if a manager ever requests them for some reason, or if we need to see what the user logged in from. 

L6 Presenter

Re: Monitoring Global Protect

So far it seems that custom reports are going to be the way to go.

 

Thanks for everyone's suggestions so far!

L6 Presenter

Re: Monitoring Global Protect

I was looking at the custom reports and just found you can't search system logs.  Is everyone just using saved filters and searching the logs directly?

L7 Applicator

Re: Monitoring Global Protect

@Brandon_Wertz,

You could save the query and just do that; or you could do it with the API or something like Netmiko. 

L6 Presenter

Re: Monitoring Global Protect

This gets worse the more I look into this.  I can't believe there's this much effort that has to be done to monitor something which seems like it should be really easy to monitor.

L7 Applicator

Re: Monitoring Global Protect

@Brandon_Wertz,

Honestly short of the 4.1 updated clients that were recently pushed out with the redesigned interface it wasn't that big of an issue for us. The only people that I had using the GlobalProtect client were our IT staff members and everyone else simply used AnyConnect.

PA finally got the client right with the 4.1 update, but the reporting still leaves a lot to be desired. If you don't want to get busy with the API or scripting in some way or another, it frankly sucks. I'm hoping that PA addresses this going forward, but GP has never seemed like a priority so I'm not holding my breath. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!