Meraki

Paul_Jefferies · ‎Mar 20 2020

We currently have a requirement (with the new COVID 19 working from home strategies) to be able to monitor client vpn connections - the originating machine name, calling address, connection time, duration of connection, data sent/received and endpoint connected to etc throughout our organisation. Is this possible through the API or would we have to employ a different strategy to understand the loads/patterns going through the system? Thanks in advance for any help with this.

CN · ‎Mar 21 2020

Some of the data that you're looking for can be pulled with the event log API endpoint. As you can see in the sample response that I got from my own MX we get a lot of data about the specific Client VPN connection. I'm using Systems Manager sentry VPN to connect which is why the user_id is a Meraki.com email.

For your example we are going to only be looking for two specific event types:

client_vpn_connect

client_vpn_disconnect

The full URL will look something like this. This was created by Postman (download the Postman collection). I know the includedEventTypes look odd but it's the best way to do it.

https://api.meraki.com/api/v0/networks/{{networkId}}/events/?perPage=3&productType=appliance&includedEventTypes[]=client_vpn_connect&includedEventTypes[]=client_vpn_disconnect

Screen Shot 2020-03-21 at 10.21.43 AM.png

The output:

{
"message": null,
"pageStartAt": "2020-02-21T18:49:30.000000Z",
"pageEndAt": "2020-03-21T17:49:30.156563Z",
"events": [
{
"occurredAt": "2020-03-21T17:48:56.583000Z",
"networkId": "L_60535",
"type": "client_vpn_disconnect",
"description": "VPN client disconnected",
"clientId": "kc2dddd",
"clientDescription": "03:5e:d6:c1:b2:a3",
"deviceSerial": "Q2KN-ZXYW-RYMS",
"deviceName": "myMX",
"eventData": {
"local_ip": "172.17.8.64",
"user_id": "sm_6655559290@meraki.com",
"remote_ip": "166.255.249.20"
}
},
{
"occurredAt": "2020-03-21T17:48:02.830001Z",
"networkId": "L_60535",
"type": "client_vpn_connect",
"description": "VPN client connected",
"clientId": "kc2dddd",
"clientDescription": "03:5e:d6:c1:b2:a3",
"deviceSerial": "Q2KN-ZXYW-RYMS",
"deviceName": "myMX",
"eventData": {
"local_ip": "172.17.8.64",
"user_id": "sm_6655559290@meraki.com",
"remote_ip": "166.255.249.20"
}
}
]
}

Another great resource you might also want to check out: cs.co/meraki_tools, it's a google sheet integration with the API all done in your browser. It has a great event log viewer where you can filter for VPN client disconnected and VPN client connected to have the data populated into rows and columns.

Screen Shot 2020-03-21 at 11.03.28 AM.png

Screen Shot 2020-03-21 at 11.08.15 AM.png

View solution in original post

Phi-L · ‎Mar 20 2020

Hey Paul, thanks for writing in!

All API calls that we've developed so far will be listed on your dashboard under Help > API Docs. Doing a quick check myself it looks like one call, "Return the firewall rules for an organization's site-to-site VPN", comes as close as possible. That said, I haven't run the call myself and it likely only applies to AutoVPN settings. You can give this a try and see what you get. If it doesn't return any useful information you'll have to consider other monitoring tools for these specific connections. Good luck!

jdsilva · ‎Mar 20 2020

@Paul_Jefferies ,

The closest thing I see is this:

https://api.meraki.com/api_docs/v0#list-the-clients-that-have-used-this-network-in-the-timespan

But when I just tried pulling the data from there it would seem that there's no specific field that identifies the client as a VPN client, even though this same data in the Dashboard does show a VPN icon beside the user... So that's lame.

You might still be able to use this endpoint if you're not doing any other authentication on your network. If you're not, then the "user" field will always be blank for non-VPN users, and VPN users will have the user field populated.

If you can use that to get all the VPN users then you can hit this endpoint:

https://api.meraki.com/api_docs/v0#return-the-clients-daily-usage-history

to get usage data.

http://blog.brokennetwork.ca |

@jdsilva

jdsilva · ‎Mar 20 2020

Oh! I just realized, you can match the returned users' IPv4 address against your client VPN address range! That'll tell you for sure if they're local or remote.

http://blog.brokennetwork.ca |

@jdsilva

PhilipDAth · ‎Mar 20 2020

If you have this kind of requirement you should use RADIUS for authentication. It provides for this kind of auditing information.

If you use NPS on Windows server (a RADIUS server) you can then also use excellent tools like ADAudit Plus.

https://www.manageengine.com/products/active-directory-audit/active-directory-auditing-solutions.htm...

This will chain together all the events and tell you stuff like the person attached via VPN, and then authenticated to a specific server, etc.

It also does anomaly detection. For example, it attempts people repeatedly trying to authenticate using a privileged account and failing (aka brute force attack).

CN · ‎Mar 21 2020