07-23-2018 11:00 AM
I'm currently in the process of migrating my company from AnyConnect to Global Protect on our 5220s. I'm looking for your feedback on how you all "monitor" the VPN service?
When comparing the "dashboard" view of Cisco's ASDM I don't really see anything which can be loaded on the Palo "dashboard" tab. It seems like the only real way is to look at "remote users" under your gateway config, but this doesn't really seem to provide a good "at a glance" kinda view.
So I'm looking to get some "this is how it worked for us" tips from the community.
Things I'm looking for are trends on connected users, top talkers, lists of users which might be trying to connect but are failing... et al. (am I really going to have to try to sort through noisy system logs? anyone have any good filters???)
Look forward to hearing everyone's feedback.
07-25-2018 06:15 PM
Honestly short of the 4.1 updated clients that were recently pushed out with the redesigned interface it wasn't that big of an issue for us. The only people that I had using the GlobalProtect client were our IT staff members and everyone else simply used AnyConnect.
PA finally got the client right with the 4.1 update, but the reporting still leaves a lot to be desired. If you don't want to get busy with the API or scripting in some way or another, it frankly sucks. I'm hoping that PA addresses this going forward, but GP has never seemed like a priority so I'm not holding my breath.
07-23-2018 01:48 PM
Nothing on the firewall GUI other than the Remote Users item you mention.
In CLI (and thus, using the API as well) you can grab the list:
show global-protect-gateway current-user
You can also restrict that command to a specific gateway, domain, or username.
System logs aren't great for what you want because you won't be able to easily tell which logs are no longer relevant. A user who logged in 5 minutes ago but logged out 3 minutes ago will still show up if you query all login events. If you query by both login and logout events, you'd have to sort those in a way that was unique to the user.
07-23-2018 01:53 PM
@gwesson Thanks for the reply. Unfrotunately wasn't what I was hoping to hear.
Hopefully others have some suggestions on what has worked for them. I have to say though I'm really surprised that there doesn't seem to be much in the way of a view into this service.
07-24-2018 03:41 AM
Yes the PA is missing some functionality here...
It can get messy so I have been relying on Syslog for my required information.
with simple scripts I can do the following...
report on department usage, individual use, group useage etc...
failed logins per day, week. month or year.
most connections, least connections and never connected.
I can also read through our list of 1500 IPad names (TAG) and report last connection, all connections or IPads that have not connected in the last 3 months. (these are returned to the pool).
and hundreds of other reports including source address, allocated IP.. and reason for failed connection.
probably of no use to anybody but my point is that this info is not easily available from the PA and saves hours connecting to each device, (each gateway is HA pair).
for instant updates on gateway connections I use as per @gwesson suggestion but via API.
this only shows current connections per gateway and updates every 10 seconds but clearly identifies busy periods..
Laters....
07-24-2018 06:27 AM
Personally I just created a script that pulls the gateways statistics and utilize the <CurrentUsers> value to keep track of how many users are connected to each gateway at any one time; and then have a weekly graph built out that can use the stored values to graph the average users per hour/day and such.
I also collect the Previous-User information on the gateways to indicate where each user logged in from (more important on the BYOD gateway) and how long the user was actually connected, along with the reason the session was disconnected. This is kept mainly for logging reasons so that we can provide them if a manager ever requests them for some reason, or if we need to see what the user logged in from.
07-24-2018 08:41 AM
So far it seems that custom reports are going to be the way to go.
Thanks for everyone's suggestions so far!
07-25-2018 06:22 AM
I was looking at the custom reports and just found you can't search system logs. Is everyone just using saved filters and searching the logs directly?
07-25-2018 06:52 AM
You could save the query and just do that; or you could do it with the API or something like Netmiko.
07-25-2018 06:55 AM
This gets worse the more I look into this. I can't believe there's this much effort that has to be done to monitor something which seems like it should be really easy to monitor.
07-25-2018 06:15 PM
Honestly short of the 4.1 updated clients that were recently pushed out with the redesigned interface it wasn't that big of an issue for us. The only people that I had using the GlobalProtect client were our IT staff members and everyone else simply used AnyConnect.
PA finally got the client right with the 4.1 update, but the reporting still leaves a lot to be desired. If you don't want to get busy with the API or scripting in some way or another, it frankly sucks. I'm hoping that PA addresses this going forward, but GP has never seemed like a priority so I'm not holding my breath.
07-26-2018 06:34 AM
And there you have it...
I'll be talking to my SE hopefully getting some visibility on where these features are. Enterprise class hardware, shouldn't require advanced scripting or syslog parsing to view what even basic competitor platforms can do "on box."
07-27-2018 07:16 AM
We use our SNMP monitoring tool to send HTTP request to the Portal/Gateway. If it does not get a response, we get alerted.
07-27-2018 07:17 AM
I think this was less of a question on ensuring the Gateway is reachable, and more how one monitors the users and connection states of GP.
04-18-2024 08:11 AM
Hi @BPry , may I ask how did you do this? 🙂 Hope you can share your materials, documents, steps you use to build this. I am struggling with this monitoring at the moment.
04-18-2024 10:39 AM
I think since PAN-OS 10.0 Palo added the required visibility in the ACC tab with a specific section for Global Protect. There is also specific "Global Protect" logs in the monitor tab.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
