Is there a feature notify when a user logs into VPN, from a new IP address?

mrlondonmrlondon
in Firebox - VPN Mobile User

I would like to know if there are any features or rules, that can trigger a notification email to be sent out, when specific users log into the VPN from a new IP address, that they haven't used in the past. We want to monitor logins from specific users who have admin privileges, in our Windows domain.

I asked ChatGPT if this could be done, and it claims if I had WatchGuard Dimension or Cloud, I could do this. Which we presently don't have.

ChatGPT told me the alternative would be to configure another server to access the VPN login logs, and create scripts to search the logs and for the scripts to do the work.
.
Has anybody heard of anyone doing any such monitoring? Thanks. - Mark

Comments

  • PhilT_VITPhilT_VIT

    @mrlondon said:
    Has anybody heard of anyone doing any such monitoring? Thanks. - Mark

    On first reading that implies the admin users all have static, public IP addresses they login to the VPN from - if that's not the case then you'd need to define the criteria that makes it "different".

    Not sure specifically how you'd go about this but if you have an inbound VPN rule (IPsec or SSL) that has the "regular" IP addresses or other criteria which doesn't necessarily need to be logged, followed by a separate inbound VPN rule that logs all access, from which you can then have alerting etc based on matches to that log entry.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Using Dimension or WatchGuard Cloud, you can set a policy to notify if it is used. There is no logic in the policy to alert on a new IP they have not connected from prior.

    The only realistic way I could see this being able to be set up would be to:
    -Create a new rule that mirrors the "WatchGuard SSLVPN" policy, and place it above the default rule.
    -Instead of using "Any-External" in your new rule, add the IP addresses that your SSLVPN users are known to connect from.
    -Enable notification in the default WatchGuard SSLVPN policy to send to email.
    -Set your WatchGuard Dimension server up to send email alerts, or enable notification on WatchGuard Cloud.

    You would need to manually add known IP addresses to the first policy as they pop up in order to keep up with this. Since user IP addresses change quite a bit (most consumer ISPs will use dynamic IP addresses, and/or CGNAT.)

    -James Carson
    WatchGuard Customer Support

Sign In to comment.