Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Report on Last Calendar Day IPSEC users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Report on Last Calendar Day IPSEC users

Not applicable

Hello

I am new to the Palo Alto firewall and community.  I really enjoy working with the PA-500's that I have.  What I am trying to figure out though, is how, if even possible, I could create a report showing the previous day's IPSEC users.  I am hoping that possibly someone who is more experienced will have some idea of how I could accomplish this.

Thank you in advance!

1 accepted solution

Accepted Solutions

L5 Sessionator

shannonturner

In Monitor > Logs > Traffic you can give the timeframe as previous day using filter ( receive_time leq '2015/01/09 23:59:59' ) and ( receive_time geq '2015/01/09 00:00:00' ) and ( zone.src eq "GP-zone" )

Hope it helps !

View solution in original post

9 REPLIES 9

L4 Transporter

I'm sure you can get this by creating a custom report in the reporting section.  I don't have Remote Access set up in my deployment but I'll take a quick look if I can give you an example for report settings.

You may just have to poke around to see what data is available to you.  The reporting section is pretty easy to figure out if you know what you are trying to do.

L5 Sessionator

shannonturner

In Monitor > Logs > Traffic you can give the timeframe as previous day using filter ( receive_time leq '2015/01/09 23:59:59' ) and ( receive_time geq '2015/01/09 00:00:00' ) and ( zone.src eq "GP-zone" )

Hope it helps !

L1 Bithead

HI Shannonturner,

Yes it is possible . We can generate a report for this .

If you are looking for Clients who got connected through Global protect. The only thing we want is a different zone for Global Protect users. If we have that , we can go to :

Monitor  --> Manage Custom Reports-->Add

Capturegp.JPG

In query builder, just create a query by selecting source zone  equal to the actual name of the zone as shown above. You can also specify the time frame like 24 hours and we have other options too.

Once all the fields are selected just click on Run Now.

Please try this and let us know if was helpful .

L4 Transporter

Are you using HIP profiles for your GP clients?

Perhaps we could create a custom report to show you the HIP matches for the past 24 hours and group by source user.

Example:

gpreport.png

We could also look through the system logs, under Monitor, for...

(subtype eq global protect)

Combine this with filtering the description for successful logins only, and you will get...

(subtype eq globalprotect)  and ( description contains 'Login from' )

Example:

system logs gp.jpggpsystem.jpg

Also be sure to add the Source User from the Available Column to the Selected Column and move it to the top, also group the report by 'Source User' and set the filter to 500.

Feel free to play with the options to tailor the report to your needs:

Also to schedule the report make user to check the box 'Scheduled', then create a email scheduler for the report.

Cheers!

Thank you for assisting me with this.  It worked out just how I wanted.

Thank you for the response!  This was helpful.

Thank you for the reply!

Thank you for your reply!

  • 1 accepted solution
  • 4386 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!