I'm currently in the process of migrating my company from AnyConnect to Global Protect on our 5220s. I'm looking for your feedback on how you all "monitor" the VPN service?
When comparing the "dashboard" view of Cisco's ASDM I don't really see anything which can be loaded on the Palo "dashboard" tab. It seems like the only real way is to look at "remote users" under your gateway config, but this doesn't really seem to provide a good "at a glance" kinda view.
So I'm looking to get some "this is how it worked for us" tips from the community.
Things I'm looking for are trends on connected users, top talkers, lists of users which might be trying to connect but are failing... et al. (am I really going to have to try to sort through noisy system logs? anyone have any good filters???)
Look forward to hearing everyone's feedback.
Solved! Go to Solution.
Nothing on the firewall GUI other than the Remote Users item you mention.
In CLI (and thus, using the API as well) you can grab the list:
show global-protect-gateway current-user
You can also restrict that command to a specific gateway, domain, or username.
System logs aren't great for what you want because you won't be able to easily tell which logs are no longer relevant. A user who logged in 5 minutes ago but logged out 3 minutes ago will still show up if you query all login events. If you query by both login and logout events, you'd have to sort those in a way that was unique to the user.
@gwesson Thanks for the reply. Unfrotunately wasn't what I was hoping to hear.
Hopefully others have some suggestions on what has worked for them. I have to say though I'm really surprised that there doesn't seem to be much in the way of a view into this service.
Yes the PA is missing some functionality here...
It can get messy so I have been relying on Syslog for my required information.
with simple scripts I can do the following...
report on department usage, individual use, group useage etc...
failed logins per day, week. month or year.
most connections, least connections and never connected.
I can also read through our list of 1500 IPad names (TAG) and report last connection, all connections or IPads that have not connected in the last 3 months. (these are returned to the pool).
and hundreds of other reports including source address, allocated IP.. and reason for failed connection.
probably of no use to anybody but my point is that this info is not easily available from the PA and saves hours connecting to each device, (each gateway is HA pair).
for instant updates on gateway connections I use as per @gwesson suggestion but via API.
this only shows current connections per gateway and updates every 10 seconds but clearly identifies busy periods..
Personally I just created a script that pulls the gateways statistics and utilize the <CurrentUsers> value to keep track of how many users are connected to each gateway at any one time; and then have a weekly graph built out that can use the stored values to graph the average users per hour/day and such.
I also collect the Previous-User information on the gateways to indicate where each user logged in from (more important on the BYOD gateway) and how long the user was actually connected, along with the reason the session was disconnected. This is kept mainly for logging reasons so that we can provide them if a manager ever requests them for some reason, or if we need to see what the user logged in from.
I was looking at the custom reports and just found you can't search system logs. Is everyone just using saved filters and searching the logs directly?
This gets worse the more I look into this. I can't believe there's this much effort that has to be done to monitor something which seems like it should be really easy to monitor.
Honestly short of the 4.1 updated clients that were recently pushed out with the redesigned interface it wasn't that big of an issue for us. The only people that I had using the GlobalProtect client were our IT staff members and everyone else simply used AnyConnect.
PA finally got the client right with the 4.1 update, but the reporting still leaves a lot to be desired. If you don't want to get busy with the API or scripting in some way or another, it frankly sucks. I'm hoping that PA addresses this going forward, but GP has never seemed like a priority so I'm not holding my breath.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!