Description

This article describes how to monitor the remote VPN users’ working hours and have more details on VPN event.

Scope

FortiAnalyzer.

Solution

In most cases, the following parameters are sufficient for monitoring the remote users’ attendance:

• Username.
• User’s first login for the day (to know whether they started on time).
• Total duration of the VPN connection (to make sure that the user was actually logged in for the contracted working hours).
•  Keep the report as simple as possible in order to make it easy to read and understand.
• Skip the noise from all intermediate logins and drops, and aggregate only the important data .

Example:

These users are supposed to work from 9 am and make 8h per day.
The chart in this example is ordered by duration but can be ordered by any of the columns, as required.

The easiest approach is to use one of these predefined datasets: 'vpn-Top-Dial-Up-VPN-Users-By-Duration' or 'vpn-Authenticated-Logins'.

It works universally for all Dial-Up VPN types, including SSL-VPN and IPsec dial-up.

1. In the selected dataset, test if the required data is available in the database:

2. Create custom chart, using the dataset 'vpn-Top-Dial-Up-VPN-Users-By-Duration' or 'vpn-Authenticated-Logins'.
   This allows to:

• Set the number of results to unlimited (Show Top = 0) in order to show all users.
•  Select which columns to be displayed.
•  Rename the columns.
• Specify which column to 'Order By' and in what direction.

Chart example:
Pay attention to the output format – the duration column is formatted as 'duration' to display the time in human-readable format.
Using 'default' returns values in seconds as in the dataset test.

3. Insert the new custom chart in a report:

4. The filter can be applied to the chart when adding it in the report.
   For example, if the requirement is to display only the SSL VPN users:

5. The best practice is to schedule the report to run after midnight, for Time Period 'Yesterday'.

 

 

Note 1:

By default,  FortiOS generates VPN statistics every 10 minutes after the session starts and the FortiGate does not, by default, send tunnel-stats information.

So if an SSL VPN session is shorter than 10 min, it is not counted. and if you do not set vpn-stats-log ssl ipsec, only tunnel-up and tunnel-down status events will be sent.

If more precise measurement is necessary, the stats can be generated on shorter intervals, by changing the following FortiGate CLI setting:

 

config system setting
    set vpn-stats-log ssl ipsec
    set vpn-stats-period 60
end

 

Short periods combined with a large number of users, are noticeably increasing the log rate. If accuracy higher than 10 minutes is not really needed, leave this setting at the default 600 sec.

Note 2:

These predefined datasets contain 'where bandwidth>0'.
If no traffic was generated during the VPN session, it won't be displayed in the report.

Note 3:

If customization of the query is required, the dataset can be cloned and edited.

A new chart will be required for the customized dataset.

For more information regarding dataset customization, refer to the 'Related articles' mentioned below.

 

Related Articles:

Technical Tip: How to create FortiAnalyzer reports using custom SQL queries

Docs: VPN event logs