Number of people connected to global protect

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Number of people connected to global protect

L1 Bithead

Hi Guys,

 

we are doing a review of the number of people connected via global protect at certain points in time.

Is there a way to get a report of this from the logs?

 

From the reports i got i seem to be only getting when people connected in so if i pick a certain point in time it does not give an accurate number of people connected.

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @KarlHalpin ,

 

The logs include both login and logout.  So, current users can be calculated with automation on your logging server.  At the time of this discussion (2015) -> https://live.paloaltonetworks.com/t5/general-topics/globalprotect-monitoring/td-p/20435 an SNMP OID for GP current users was not available.  However, it does have a solution via API.

 

This document (2022) -> https://www.nectus5.com/how-to-monitor-number-of-palo-alto-vpn-global-protect-users/ lists an SNMP OID to retrieve connected users!  That may be the easiest solution.

 

As a reference, this doc -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clor shows how to list users via GUI, CLI, and API.  The GUI and CLI also provide a count.

 

So, it looks like the solution is to use SNMP or automation with syslog, API, GUI, or CLI.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Cyber Elite
Cyber Elite

@KarlHalpin,

I personally recommend that clients keep a script running that can record the number of active users. The basis of that is simply '

https://<firewall>/api/?type=op&cmd=<show><global-protect-gateway><statistics></statistics></global-... and you would want to parse the return to ['response']['result']['TotalCurrentUsers'] to return the value of active users. This value can then be written in any format that you want whether that be to a log file of some sort, a database, or whatever else you decide. 
 
If you're looking solely at historical logs instead of those moving forward, the logout events will give you the duration in seconds that you can use to calculate who was connected when. Obviously this method would present a large amount of overhead and review to get it broken down to a specific day or further than that, but it is certainly possible with enough time investment. 
 
Just realized how poorly that example presented.
https://<firewall>/api/?type=op&cmd=<show><global-protect-gateway><statistics></statistics></global-protect-gateway></show>&key=<key>

# Replace <firewall> with your own firewall FQDN/IP #
# Replace <key> with your API key #
  • 2449 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!