Description
This article describes how to monitor the remote VPN users’ working hours
Solution
In most cases, the following parameters are sufficient for monitoring the remote users’ attendance:
- Username.
- User’s first login for the day (to know whether they started on time).
- Total duration of the VPN connection (to make sure that the user was actually logged in for the contracted working hours).
- Keep the report as simple as possible in order to make it easy to read and understand.
Skip the noise from all intermediate logins and drops, and aggregate only the important data .
Example:
These users are supposed to work from 9 am and make 8h per day.
The chart in this example is ordered by duration, but can be ordered by any of the columns, as required.
This article describes how to monitor the remote VPN users’ working hours
Solution
In most cases, the following parameters are sufficient for monitoring the remote users’ attendance:
- Username.
- User’s first login for the day (to know whether they started on time).
- Total duration of the VPN connection (to make sure that the user was actually logged in for the contracted working hours).
- Keep the report as simple as possible in order to make it easy to read and understand.
Skip the noise from all intermediate logins and drops, and aggregate only the important data .
Example:
These users are supposed to work from 9 am and make 8h per day.
The chart in this example is ordered by duration, but can be ordered by any of the columns, as required.
The easiest approach is to use one of these predefined datasets:
'vpn-Top-Dial-Up-VPN-Users-By-Duration'
Or
'vpn-Authenticated-Logins'
It works universally for all Dial-Up VPN types, including SSL-VPN and IPsec dial-up.
1) In the selected dataset, test if the required data is available in the database:
'vpn-Top-Dial-Up-VPN-Users-By-Duration'
Or
'vpn-Authenticated-Logins'
It works universally for all Dial-Up VPN types, including SSL-VPN and IPsec dial-up.
1) In the selected dataset, test if the required data is available in the database:
2) Create custom chart, using the dataset 'vpn-Top-Dial-Up-VPN-Users-By-Duration' or 'vpn-Authenticated-Logins'.
This allows to:
- Set the number of results to unlimited (Show Top = 0) in order to show all users.
- Select which columns to be displayed.
- Rename the columns.
- Specify which column to 'Order By' and in what direction.
Chart example:
Pay attention to the output format – the duration column is formatted as 'duration' in order to display the time in human readable format.
Using 'default' returns values in seconds as in the dataset test.
This allows to:
- Set the number of results to unlimited (Show Top = 0) in order to show all users.
- Select which columns to be displayed.
- Rename the columns.
- Specify which column to 'Order By' and in what direction.
Chart example:
Pay attention to the output format – the duration column is formatted as 'duration' in order to display the time in human readable format.
Using 'default' returns values in seconds as in the dataset test.
The traffic related columns are pre-selected in 'vpn-Top-Dial-Up-VPN-Users-By-Duration' and can be easily added to the chart if required.
Same like duration, the traffic related data is easier to read in 'bandwidth' format:
Same like duration, the traffic related data is easier to read in 'bandwidth' format:
3) Insert the new custom chart in a report:
4) Filter can be applied to the chart, when adding it in the report.
For example if the requirement is to display only the SSL-VPN users:
For example if the requirement is to display only the SSL-VPN users:
5) The best practice is to schedule the report to run after midnight, for Time Period 'Yesterday'.
Note 1.
By default, FortiOS is generating VPN statistics every 10 minutes after the session start.
By default, FortiOS is generating VPN statistics every 10 minutes after the session start.
So if an SSLVPN session was shorter than 10 min, it is not counted.
If more precise measurement is necessary, the stats can be generated on shorter intervals, by changing the following FortiGate CLI setting:
# config system settingBear in mind that short period combined with big number of users, are noticeably increasing the log rate.
set vpn-stats-log ssl ipsec
set vpn-stats-period 60
end
If accuracy higher than 10 minutes is not really needed, leave this setting at the default 600 sec.
Note 2.
These predefined datasets contain 'where bandwidth>0'.
If no traffic was generated during the VPN session, it won't be displayed in the report.
Note 3.
If customization of the query is required, the dataset can be cloned and edited.
Note 2.
These predefined datasets contain 'where bandwidth>0'.
If no traffic was generated during the VPN session, it won't be displayed in the report.
Note 3.
If customization of the query is required, the dataset can be cloned and edited.
New chart will be required for the customized dataset.
For more information regarding dataset customization, refer to 'Related articles' mentioned below.
Related Articles
Technical Tip: How to create FortiAnalyzer reports using custom SQL queries
