Session Visibility and Management Utility

Introduction to Session Visibility and Management

When the Session Visibility and Management Utility is enabled, each time a user connects remotely to an R77.30 or higher Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources., the data is recorded in an SQL database.

You can run queries on this database with the Session Visibility and Management Utility.

You can use the Utility to:

  • Show session information based on constraints

  • Terminate user sessions based on constraints

The main commands are described below. You can also edit the configuration XML file to create custom commands. See sk104644 for advanced configuration.

These Check Point clients are fully supported with the Session Visibility and Management Utility:

These clients are supported but sessions on them cannot be terminated:

  • Capsule Connect

  • Capsule VPN

  • Windows 8.1 Check Point VPN Plugin

Enabling the Utility on the Security Gateway

By default the Session Visibility and Management Utility is disabled.

Note - In a ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing., you must configure all the Cluster Members in the same way.

To enable or disable the Session Visibility and Management Utility:

  1. To enable, run:

    RAsession_util on

    To disable, run:

    RAsession_util off

  2. Run:

    cpstop

  3. Run:

    cpstart

Viewing the Number of Open Sessions

Syntax:

RAsession_util show sessions_num

Disconnecting Remote Access Users

Syntax:

RAsession_util terminate {all | byuser <user> | bysession_id <id> | custom <SQL constraint>}

Parameters:

Parameter

Description

all

Disconnect all Remote Access users

byuser

Disconnect a user by their user name

bysession_id

Disconnect the session with the given session ID

custom

Disconnect users that match an SQL constraint

Examples:

  • RAsession_util terminate all

  • RAsession_util terminate byuser james_wilson

  • RAsession_util terminate bysession_id 521bd4788

  • RAsession_util terminate custom "src_ip='1.1.1.1'"

Viewing User Data

Syntax:

RAsession_util show users {all | byname <user_name> | where <where_clause>}

Parameters:

Parameter

Description

all

Show all users

byuser

Show data of the given user name

where

Show users by constraint

certs

Show user certificates by constraints

Examples:

  • RAsession_util show users all

  • RAsession_util show users byuser "james_wilson"

  • RAsession_util show users where "client_name='Mobile Access Portal'"

    (This command shows all the users connected from the Mobile Access Portal.)

Using Constraints

To disconnect or see data of users that match a non-default definition, use constraints. First, become familiar with the Check Point scheme for Remote Access sessions. Then, use the field names or types to run a terminate or show users command on matching users.

To see valid constraint fields:

RAsession_util show scheme

Examples:

This command shows the given fields where the client is the Mobile Access Portal, and the results are ordered according to the creation time:

RAsession_util show custom -FIELDS "session_id,user_name,client_name,browser_name,machine_name,os_name" -WHERE "client_name='Mobile Access Portal'" -ORDERBY "creation_time"

This command shows the given fields where the client type is Capsule Workspace:

RAsession_util show custom -FIELDS "user_name,sessionid,client_ver,client_build_number,os_name,os_ver,device_type" -WHERE "client_name='Capsule Workspace'"

Session Visibility and Management Commands

Description: Shows the table scheme of the database.

Usage: SCHEME

Parameters: None

Description: Performs an operation on a session or session based on the defined constraints.

Usage: SESSION_OP <Operation_type> <Sql_constraint [list_of_parameters]>

Parameters:

Parameter

Description

Operation_type

Type of operation to perform on sessions.

Only terminate is supported in this release.

Sql_constraint

Criteria to select the sessions on which to perform the operation.

For example, "username='aa'".

It can also be a parametric SQL "WHERE" clause that includes $ signs instead of values.

For example, "username=$1 and srcip=$2".

The "WHERE" clause means that the first parameter in the List_of_parameters will be placed instead of $1, and the second will be as $2.

List_of_parameters

Can be empty or list of parameters to be placed instead of the $ signs in the "WHERE" clause.

Examples:

SESSION_OP terminate "username='James Wilson'"

SESSION_OP terminate "username=$1 and srcip=$2" "James Wilson,192.0.2.10"

Description: Run a query on the sessions table.

Usage: SELECT <-FIELDS <fields>> [-WHERE <where_clause> [list_of_parameters]] [-GROUPBY <group_by_fields>] [-ORDERBY <order_by_fields>] [-LIMIT <limit_size> [-OFFSET <offset_number>]]

Parameters:

Parameter

Description

FIELDS <fields>

FIELDS flag with list of fields to select delimited by ",".

WHERE <where_clause>

WHERE flag with the SQL WHERE clause.

<where_clause> can also include $ signs instead of values.

For example, "username=$1 and srcip=$2".

This "where_clause" means that the first parameter in the "List_of_parameters" will be placed instead of $1, and the second will be as $2 .

List_of_parameters

Can be empty or list of parameters to be placed instead of the $ signs in the WHERE clause.

GROUPBY <group_by_fields>

GROUPBY flag with list of fields to group by delimited by ",".

ORDERBY <order_by_fields>

ORDERBY flag with list of fields to order the result by delimited by ",".

LIMIT <limit_size>

LIMIT flag with the limit size.

OFFSET <offset_number>

OFFSET flag with the result offset.

Example:

SELECT -FIELDS "login name,clientname,sessionid" -WHERE "loginname='aa'" -ORDERBY "clientname"