Is there currently an easy way to Correlate a VPN user in trafic logs with the IP the user authenticated from?
For now I am having to view the traffic in the Traffic log note the user then goto the System logs and correlate the date / time of the VPN login go see the IP they authenticated from.
If you create a zone for your VPN users, you can filter on that zone name in the traffic log to quickly view the VPN users and their source addresses.
Maybe I have something configured wrong. While that does produce an easy filter to see VPN users and their IP it shows the address the users has been assigned from the VPN Address pool (172.16.1.1/25) I am wanting to see the IP address of the machine that the user authenticated from.
In System logs with Filter set to: (eventid eq sslvpn-regist-succ)
it shows the IP address the user authenticated from: (SSL VPN user login succeeded. Login from:22.214.171.124, User name: USER.)
I am trying to correlate 126.96.36.199 to 172.16.1.1 to USER in the traffic logs for a given date / time without having to jump back and forth from Traffic logs and System logs. Most of my VPN users login from a static or near static IP (IP changes once ever 3 months) for all my efforts to educate they are still very careless with their credential, leaving them on postit notes and the like for anyone to see. If I can easily correlate USER to the IP they authenticate from it makes it easier to determine if their credentials have been compromised.
Thanks for the tip!
> show ssl-vpn current-user
Does exactly what I am looking for, for currently logged in users. I am also very interested in getting that same view from the logs. It would allow me to audit VPN access very quickly.
Enable user identification in the zone where you have your tunnel interface (for the SSLVPN portal) and specify the IP-pool network as well. After that you should have your SSLVPN users in ACC/Log
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!