Monitoring Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Monitoring Global Protect

L6 Presenter

I'm currently in the process of migrating my company from AnyConnect to Global Protect on our 5220s.  I'm looking for your feedback on how you all "monitor" the VPN service?

 

When comparing the "dashboard" view of Cisco's ASDM I don't really see anything which can be loaded on the Palo "dashboard" tab.  It seems like the only real way is to look at "remote users" under your gateway config, but this doesn't really seem to provide a good "at a glance" kinda view.

 

So I'm looking to get some "this is how it worked for us" tips from the community.

 

Things I'm looking for are trends on connected users, top talkers, lists of users which might be trying to connect but are failing... et al.  (am I really going to have to try to sort through noisy system logs?  anyone have any good filters???)

 

Look forward to hearing everyone's feedback.

1 accepted solution

Accepted Solutions

@Brandon_Wertz,

Honestly short of the 4.1 updated clients that were recently pushed out with the redesigned interface it wasn't that big of an issue for us. The only people that I had using the GlobalProtect client were our IT staff members and everyone else simply used AnyConnect.

PA finally got the client right with the 4.1 update, but the reporting still leaves a lot to be desired. If you don't want to get busy with the API or scripting in some way or another, it frankly sucks. I'm hoping that PA addresses this going forward, but GP has never seemed like a priority so I'm not holding my breath. 

View solution in original post

17 REPLIES 17

L7 Applicator

Nothing on the firewall GUI other than the Remote Users item you mention.

 

In CLI (and thus, using the API as well) you can grab the list:

show global-protect-gateway current-user

You can also restrict that command to a specific gateway, domain, or username.

 

System logs aren't great for what you want because you won't be able to easily tell which logs are no longer relevant. A user who logged in 5 minutes ago but logged out 3 minutes ago will still show up if you query all login events. If you query by both login and logout events, you'd have to sort those in a way that was unique to the user.

@gwesson Thanks for the reply.  Unfrotunately wasn't what I was hoping to hear.

 

Hopefully others have some suggestions on what has worked for them.  I have to say though I'm really surprised that there doesn't seem to be much in the way of a view into this service.

L7 Applicator

Yes the PA is missing some functionality here...

 

It can get messy so I have been relying on Syslog for my required information.

 

with simple scripts I can do the following...

 

report on department usage, individual use, group useage etc...

failed logins per day, week. month or year.

most connections, least connections and never connected.

I can also read through our list of 1500 IPad names (TAG) and report last connection, all connections or IPads that have not connected in the last 3 months. (these are returned to the pool).

 

and hundreds of other reports including source address, allocated IP..   and reason for failed connection.

 

probably of no use to anybody but my point is that this info is not easily available from the PA and saves hours connecting to each device, (each gateway is HA pair).

 

for instant updates on gateway connections I use as per @gwesson suggestion but via API.

this only shows current connections per gateway and updates every 10 seconds but clearly identifies busy periods..

 

Laters....

 

 

 

 

 

@Brandon_Wertz,

Personally I just created a script that pulls the gateways statistics and utilize the <CurrentUsers> value to keep track of how many users are connected to each gateway at any one time; and then have a weekly graph built out that can use the stored values to graph the average users per hour/day and such.  

I also collect the Previous-User information on the gateways to indicate where each user logged in from (more important on the BYOD gateway) and how long the user was actually connected, along with the reason the session was disconnected. This is kept mainly for logging reasons so that we can provide them if a manager ever requests them for some reason, or if we need to see what the user logged in from. 

So far it seems that custom reports are going to be the way to go.

 

Thanks for everyone's suggestions so far!

I was looking at the custom reports and just found you can't search system logs.  Is everyone just using saved filters and searching the logs directly?

@Brandon_Wertz,

You could save the query and just do that; or you could do it with the API or something like Netmiko. 

This gets worse the more I look into this.  I can't believe there's this much effort that has to be done to monitor something which seems like it should be really easy to monitor.

@Brandon_Wertz,

Honestly short of the 4.1 updated clients that were recently pushed out with the redesigned interface it wasn't that big of an issue for us. The only people that I had using the GlobalProtect client were our IT staff members and everyone else simply used AnyConnect.

PA finally got the client right with the 4.1 update, but the reporting still leaves a lot to be desired. If you don't want to get busy with the API or scripting in some way or another, it frankly sucks. I'm hoping that PA addresses this going forward, but GP has never seemed like a priority so I'm not holding my breath. 

And there you have it...

 

I'll be talking to my SE hopefully getting some visibility on where these features are.  Enterprise class hardware, shouldn't require advanced scripting or syslog parsing to view what even basic competitor platforms can do "on box."

We use our SNMP monitoring tool to send HTTP request to the Portal/Gateway.  If it does not get a response, we get alerted.

@jambulo,

I think this was less of a question on ensuring the Gateway is reachable, and more how one monitors the users and connection states of GP. 

Hi @BPry , may I ask how did you do this? 🙂 Hope you can share your materials, documents, steps you use to build this. I am struggling with this monitoring at the moment.

I think since PAN-OS 10.0 Palo added the required visibility in the ACC tab with a specific section for Global Protect.  There is also specific "Global Protect" logs in the monitor tab.

  • 1 accepted solution
  • 10645 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!