Monitor number of third party VPN connections using the API

SOLVED
Paul_Jefferies
Conversationalist

Monitor number of third party VPN connections using the API

We currently have a requirement (with the new COVID 19 working from home strategies) to be able to monitor client vpn connections - the originating machine name, calling address, connection time, duration of connection, data sent/received and endpoint connected to etc throughout our organisation.  Is this possible through the API or would we have to employ a different strategy to understand the loads/patterns going through the system?  Thanks in advance for any help with this.

1 ACCEPTED SOLUTION
CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Some of the data that you're looking for can be pulled with the event log API endpoint. As you can see in the sample response that I got from my own MX we get a lot of data about the specific Client VPN connection. I'm using Systems Manager sentry VPN to connect which is why the user_id is a Meraki.com email. 

 

For your example we are going to only be looking for two specific event types:

client_vpn_connect

client_vpn_disconnect

 

The full URL will look something like this. This was created by Postman (download the Postman collection). I know the includedEventTypes look odd but it's the best way to do it. 

 

https://api.meraki.com/api/v0/networks/{{networkId}}/events/?perPage=3&productType=appliance&includedEventTypes[]=client_vpn_connect&includedEventTypes[]=client_vpn_disconnect

 

Screen Shot 2020-03-21 at 10.21.43 AM.png

 

 

 

 

 

 

 

 

 

 

 

The output:

 

{
"message": null,
"pageStartAt": "2020-02-21T18:49:30.000000Z",
"pageEndAt": "2020-03-21T17:49:30.156563Z",
"events": [
{
"occurredAt": "2020-03-21T17:48:56.583000Z",
"networkId": "L_60535",
"type": "client_vpn_disconnect",
"description": "VPN client disconnected",
"clientId": "kc2dddd",
"clientDescription": "03:5e:d6:c1:b2:a3",
"deviceSerial": "Q2KN-ZXYW-RYMS",
"deviceName": "myMX",
"eventData": {
"local_ip": "172.17.8.64",
"user_id": "sm_6655559290@meraki.com",
"remote_ip": "166.255.249.20"
}
},
{
"occurredAt": "2020-03-21T17:48:02.830001Z",
"networkId": "L_60535",
"type": "client_vpn_connect",
"description": "VPN client connected",
"clientId": "kc2dddd",
"clientDescription": "03:5e:d6:c1:b2:a3",
"deviceSerial": "Q2KN-ZXYW-RYMS",
"deviceName": "myMX",
"eventData": {
"local_ip": "172.17.8.64",
"user_id": "sm_6655559290@meraki.com",
"remote_ip": "166.255.249.20"
}
}
]
}

 

Another great resource you might also want to check out: cs.co/meraki_tools, it's a google sheet integration with the API all done in your browser. It has a great event log viewer where you can filter for VPN client disconnected and VPN client connected to have the data populated into rows and columns. 

 

Screen Shot 2020-03-21 at 11.03.28 AM.png

 

Screen Shot 2020-03-21 at 11.08.15 AM.png

 

 

View solution in original post

5 REPLIES 5
Phi-L
Meraki Employee
Meraki Employee

Hey Paul, thanks for writing in!

 

All API calls that we've developed so far will be listed on your dashboard under Help > API Docs. Doing a quick check myself it looks like one call, "Return the firewall rules for an organization's site-to-site VPN", comes as close as possible. That said, I haven't run the call myself and it likely only applies to AutoVPN settings. You can give this a try and see what you get. If it doesn't return any useful information you'll have to consider other monitoring tools for these specific connections. Good luck!

jdsilva
Kind of a big deal

@Paul_Jefferies ,

 

The closest thing I see is this:

 

https://api.meraki.com/api_docs/v0#list-the-clients-that-have-used-this-network-in-the-timespan

 

But when I just tried pulling the data from there it would seem that there's no specific field that identifies the client as a VPN client, even though this same data in the Dashboard does show a VPN icon beside the user... So that's lame. 

 

You might still be able to use this endpoint if you're not doing any other authentication on your network. If you're not, then the "user" field will always be blank for non-VPN users, and VPN users will have the user field populated. 

 

If you can use that to get all the VPN users then you can hit this endpoint:

 

https://api.meraki.com/api_docs/v0#return-the-clients-daily-usage-history

 

to get usage data.

jdsilva
Kind of a big deal

Oh! I just realized, you can match the returned users' IPv4 address against your client VPN address range! That'll tell you for sure if they're local or remote. 

PhilipDAth
Kind of a big deal
Kind of a big deal

If you have this kind of requirement you should use RADIUS for authentication.  It provides for this kind of auditing information.

 

If you use NPS on Windows server (a RADIUS server) you can then also use excellent tools like ADAudit Plus.

https://www.manageengine.com/products/active-directory-audit/active-directory-auditing-solutions.htm... 

This will chain together all the events and tell you stuff like the person attached via VPN, and then authenticated to a specific server, etc.

It also does anomaly detection.  For example, it attempts people repeatedly trying to authenticate using a privileged account and failing (aka brute force attack).

CN
Meraki Alumni (Retired)
Meraki Alumni (Retired)

Some of the data that you're looking for can be pulled with the event log API endpoint. As you can see in the sample response that I got from my own MX we get a lot of data about the specific Client VPN connection. I'm using Systems Manager sentry VPN to connect which is why the user_id is a Meraki.com email. 

 

For your example we are going to only be looking for two specific event types:

client_vpn_connect

client_vpn_disconnect

 

The full URL will look something like this. This was created by Postman (download the Postman collection). I know the includedEventTypes look odd but it's the best way to do it. 

 

https://api.meraki.com/api/v0/networks/{{networkId}}/events/?perPage=3&productType=appliance&includedEventTypes[]=client_vpn_connect&includedEventTypes[]=client_vpn_disconnect

 

Screen Shot 2020-03-21 at 10.21.43 AM.png

 

 

 

 

 

 

 

 

 

 

 

The output:

 

{
"message": null,
"pageStartAt": "2020-02-21T18:49:30.000000Z",
"pageEndAt": "2020-03-21T17:49:30.156563Z",
"events": [
{
"occurredAt": "2020-03-21T17:48:56.583000Z",
"networkId": "L_60535",
"type": "client_vpn_disconnect",
"description": "VPN client disconnected",
"clientId": "kc2dddd",
"clientDescription": "03:5e:d6:c1:b2:a3",
"deviceSerial": "Q2KN-ZXYW-RYMS",
"deviceName": "myMX",
"eventData": {
"local_ip": "172.17.8.64",
"user_id": "sm_6655559290@meraki.com",
"remote_ip": "166.255.249.20"
}
},
{
"occurredAt": "2020-03-21T17:48:02.830001Z",
"networkId": "L_60535",
"type": "client_vpn_connect",
"description": "VPN client connected",
"clientId": "kc2dddd",
"clientDescription": "03:5e:d6:c1:b2:a3",
"deviceSerial": "Q2KN-ZXYW-RYMS",
"deviceName": "myMX",
"eventData": {
"local_ip": "172.17.8.64",
"user_id": "sm_6655559290@meraki.com",
"remote_ip": "166.255.249.20"
}
}
]
}

 

Another great resource you might also want to check out: cs.co/meraki_tools, it's a google sheet integration with the API all done in your browser. It has a great event log viewer where you can filter for VPN client disconnected and VPN client connected to have the data populated into rows and columns. 

 

Screen Shot 2020-03-21 at 11.03.28 AM.png

 

Screen Shot 2020-03-21 at 11.08.15 AM.png

 

 

Get notified when there are additional replies to this discussion.