This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies. For details on cookie usage on our site, read our Privacy Policy
Thanks for the tip! > show ssl-vpn current-user Does exactly what I am looking for, for currently logged in users. I am also very interested in getting that same view from the logs. It would allow me to audit VPN access very quickly.
... View more
Maybe I have something configured wrong. While that does produce an easy filter to see VPN users and their IP it shows the address the users has been assigned from the VPN Address pool (172.16.1.1/25) I am wanting to see the IP address of the machine that the user authenticated from. In System logs with Filter set to: (eventid eq sslvpn-regist-succ) it shows the IP address the user authenticated from: (SSL VPN user login succeeded. Login from:75.152.213.61, User name: USER.) I am trying to correlate 75.152.213.61 to 172.16.1.1 to USER in the traffic logs for a given date / time without having to jump back and forth from Traffic logs and System logs. Most of my VPN users login from a static or near static IP (IP changes once ever 3 months) for all my efforts to educate they are still very careless with their credential, leaving them on postit notes and the like for anyone to see. If I can easily correlate USER to the IP they authenticate from it makes it easier to determine if their credentials have been compromised. -Michael
... View more
Is there currently an easy way to Correlate a VPN user in trafic logs with the IP the user authenticated from? For now I am having to view the traffic in the Traffic log note the user then goto the System logs and correlate the date / time of the VPN login go see the IP they authenticated from. -Michael
... View more
Changed from 172.16.1.0/24 to 172.16.1.0/25. Solved all my problems. Thank you! Might consider modifying "How to Set Up and Configure SSL-VPN" doc @ https://live.paloaltonetworks.com/docs/DOC-1157
... View more
Kelly, Thanks for the quick reply. Tunnel interface is in Zone: trust To access VPN I have it configured to be a loopback interface of our untrust interface. I did this because our mail server is currently mapped to HTTPS on .122 Untrust interface is .122 loop back interface for VPN is .124 both in Untrust zone. I setup a rule From: ANY To: ANY Source: VPN IP (172.16.1.0/24) From User: VPN Users Connect to VPN and then ping yahoo.com. Look at Traffic logs and see From: trust To: untrust Source 172.16.1.1 Destination: 209.191.93.53 User local:mauger Action: allow Rule: VPN Ingress I/F: tunnel Egress I/F eth 1/1 Ping one of the DNS servers I have configured in the SSL-VPN and look at Traffic logs I see From: trust To: trust Source 172.16.1.1 Destination: 192.168.1.60 User local:mauger Action: allow Rule: VPN Ingress I/F: tunnel Egress I/F eth 1/2 Ping any server that is on the internal network that isn't a configured DNS server in the SSL-VPN and the requests time out. I look at the traffic logs and see no traffic. I set the VPN rule to Deny all traffic to Trust and I can no longer talk to the two DNS servers, I check traffic logs and I can see it deny all traffic to the two DNS servers. Traffic to any other server on the internal network still doesn't show up in the logs. Not sure what I need to do. -Michael
... View more