Correlate VPN User to IP

Reply
Highlighted
Not applicable

Correlate VPN User to IP

Is there currently an easy way to Correlate a VPN user in trafic logs with the IP the user authenticated from?

For now I am having to view the traffic in the Traffic log note the user then goto the System logs and correlate the date / time of the VPN login go see the IP they authenticated from.

-Michael

Tags (3)
Highlighted
L5 Sessionator

Re: Correlate VPN User to IP

If you create a zone for your VPN users, you can filter on that zone name in the traffic log to quickly view the VPN users and their source addresses.

Highlighted
Not applicable

Re: Correlate VPN User to IP

Maybe I have something configured wrong. While that does produce an easy filter to see VPN users and their IP it shows the address the users has been assigned from the VPN Address pool (172.16.1.1/25) I am wanting to see the IP address of the machine that the user authenticated from.

In System logs with Filter set to: (eventid eq sslvpn-regist-succ)

it shows the IP address the user authenticated from: (SSL VPN user login succeeded. Login from:75.152.213.61, User name: USER.)

I am trying to correlate 75.152.213.61 to 172.16.1.1 to USER in the traffic logs for a given date / time without having to jump back and forth from Traffic logs and System logs. Most of my VPN users login from a static or near static IP (IP changes once ever 3 months) for all my efforts to educate they are still very careless with their credential, leaving them on postit notes and the like for anyone to see. If I can easily correlate USER to the IP they authenticate from it makes it easier to determine if their credentials have been compromised.

-Michael

Highlighted
L4 Transporter

Re: Correlate VPN User to IP

Hello Michael,

I believe the command that you are looking is found in the cli and it is as follows:

> show ssl-vpn current-user

thanks,

Stephen

Highlighted
Not applicable

Re: Correlate VPN User to IP

Thanks for the tip!

> show ssl-vpn current-user


Does exactly what I am looking for, for currently logged in users. I am also very interested in getting that same view from the logs. It would allow me to audit VPN access very quickly.

L2 Linker

Re: Correlate VPN User to IP

+1 on desire to have the VPN user logged in the User field in the Traffic log

Highlighted
L3 Networker

Re: Correlate VPN User to IP

Enable user identification in the zone where you have your tunnel interface (for the SSLVPN portal) and specify the IP-pool network as well. After that you should have your SSLVPN users in ACC/Log

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!