Monitoring Global Protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Monitoring Global Protect

L6 Presenter

I'm currently in the process of migrating my company from AnyConnect to Global Protect on our 5220s.  I'm looking for your feedback on how you all "monitor" the VPN service?

 

When comparing the "dashboard" view of Cisco's ASDM I don't really see anything which can be loaded on the Palo "dashboard" tab.  It seems like the only real way is to look at "remote users" under your gateway config, but this doesn't really seem to provide a good "at a glance" kinda view.

 

So I'm looking to get some "this is how it worked for us" tips from the community.

 

Things I'm looking for are trends on connected users, top talkers, lists of users which might be trying to connect but are failing... et al.  (am I really going to have to try to sort through noisy system logs?  anyone have any good filters???)

 

Look forward to hearing everyone's feedback.

17 REPLIES 17

Hello @Brandon_Wertz , I mean, the script that @BPry  created as stated below. Thank you!

"Personally I just created a script that pulls the gateways statistics and utilize the <CurrentUsers> value to keep track of how many users are connected to each gateway at any one time; and then have a weekly graph built out that can use the stored values to graph the average users per hour/day and such.  

I also collect the Previous-User information on the gateways to indicate where each user logged in from (more important on the BYOD gateway) and how long the user was actually connected, along with the reason the session was disconnected. This is kept mainly for logging reasons so that we can provide them if a manager ever requests them for some reason, or if we need to see what the user logged in from"

 

Cyber Elite
Cyber Elite

@CarloSalvador,

This is the basic substance for tracking user counts. You would then utilize whatever you want to store the information for utilization in reports or graphs as you desire.

gather_gateway_count = requests.post('https://' + str(firewall) + '/api/?type=op&cmd=<show><global-protect-gateway><statistics></statistics></global-protect-gateway></show>&key=' + str(key), verify=False)
# Set firewall and key to whatever you need #

gateway_count_dict = xmltodict.parse(gather_gateway_count.content)

total_active_users = gateway_count_dict['response']['result']['TotalCurrentUsers']
# Gathers the current users across all configured gateways. You'll get each individual gateway as well via gateway_count_dict['response']['result']['Gateway'] if desired#

total_previous_users = gateway_count_dict['response']['result']['TotalPreviousUsers']
# Gathers the previus users across all configured gateway. Again you can view this for specific gateways if desired #

 

If you want to log the rest of the information that I mentioned (disconnect reason, connection duration, login source, etc.) the same basic principal applies. Keep in mind if you are able to offload the GlobalProtect logs and store them for an extended duration, or have a sufficient storage allocation on your firewall or Panorama instance, all of this information is something the firewall already natively tracks. What I've done is simply build custom reports with the information that I want to record for easy automation purposes and utilize the API to collect and then record that report information.

As an example just:

run_report = requests.post('https://' + str(firewall) + '/api?type=report&async=yes&reporttype=custom&reportname=BYOD_GP_Logout',headers=headers,verify=False)
# The report here includes what I actually want to record. So you might include just login_duration with srcuser, include public_ip, or whatever else you decide you want/need#

report_dict = xmltodict.parse(run_report.content)
job_id = report_dict['response']['result']['job']
time.sleep(60) #Allow enough time for report to run#
request_report = requests.get('https://' + str(firewall) + '/api?type=op&cmd=<show><report><id>' + str(job_id) + '</id></report></show>',headers=headers,verify=False)
report_dict = xmltodict.parse(request_report.content)
OrdDict = report_dict['response']['result']['report']['entry']
root = OrdDict
for element in root:
    recorded_session = [(element['srcuser']),(element['login_duration'])]
    src_user = recorded_session[0]
    login_duration = recorded_session[1]
    login_duration = int(login_duration)
    login_minutes = login_duration/60


This gives you an example of what/how I'm pulling information from that report. From here, what I end up doing is temporarily recording the duration in a REDIS database with the src_user being the key and the value being the login_duration. In the event the key already exists (indicating the user was previously connected) you can simply add the existing value to the current login_duration and update the key.

Once you have the desired information you simply work with it however you would want. So in the above REDIS example I'm writing that information into a SQL database for long-term retention and utilizing it in reports that get sent out. If you can get the information you want into a custom report, then you can fetch it through the API and do whatever you want with it from a reporting or retention aspect.

L1 Bithead

Hi @BPry , thank you for your response on my question. I saw another comment of you in another thread regarding Custom Reporting. I will try that one and will let you know 🙂


Thank you also for this scripts you gave! I will try to study it and understand it. 

 

  • 8191 Views
  • 17 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!