Created on
04-29-2020
03:03 AM
Edited on
07-02-2024
06:35 AM
By
Jean-Philippe_P
Description
This article describes how to monitor the remote VPN users’ working hours and have more details on VPN event.
Scope
FortiAnalyzer.
Solution
In most cases, the following parameters are sufficient for monitoring the remote users’ attendance:
- Username.
- User’s first login for the day (to know whether they started on time).
- Total duration of the VPN connection (to make sure that the user was actually logged in for the contracted working hours).
- Keep the report as simple as possible in order to make it easy to read and understand.
- Skip the noise from all intermediate logins and drops, and aggregate only the important data .
Example:
These users are supposed to work from 9 am and make 8h per day.
The chart in this example is ordered by duration but can be ordered by any of the columns, as required.

The easiest approach is to use one of these predefined datasets: 'vpn-Top-Dial-Up-VPN-Users-By-Duration' or 'vpn-Authenticated-Logins'.
It works universally for all Dial-Up VPN types, including SSL-VPN and IPsec dial-up.
- In the selected dataset, test if the required data is available in the database:

- Create custom chart, using the dataset 'vpn-Top-Dial-Up-VPN-Users-By-Duration' or 'vpn-Authenticated-Logins'.
This allows to:
- Set the number of results to unlimited (Show Top = 0) in order to show all users.
- Select which columns to be displayed.
- Rename the columns.
- Specify which column to 'Order By' and in what direction.
Chart example:
Pay attention to the output format – the duration column is formatted as 'duration' to display the time in human-readable format.
Using 'default' returns values in seconds as in the dataset test.

Same like duration, the traffic-related data is easier to read in 'bandwidth' format:

- Insert the new custom chart in a report:

- The filter can be applied to the chart when adding it in the report.
For example, if the requirement is to display only the SSL VPN users:

- The best practice is to schedule the report to run after midnight, for Time Period 'Yesterday'.

By default, FortiOS generates VPN statistics every 10 minutes after the session starts and the FortiGate does not, by default, send tunnel-stats information.
set vpn-stats-log ssl ipsec
set vpn-stats-period 60
end
Note 2:
These predefined datasets contain 'where bandwidth>0'.
If no traffic was generated during the VPN session, it won't be displayed in the report.
Note 3:
If customization of the query is required, the dataset can be cloned and edited.
Related Articles:
Technical Tip: How to create FortiAnalyzer reports using custom SQL queries