When looking for what person was assigned an IP via Watchguard over the SSLVPN connection, search for the EXACT match of “assigned virtual IP” in the Event section of Log search and you will get back all of those that got an IP. An example is:
2019-02-20 13:13:29 | FWStatus, SSL VPN user user1@mydomain.local from 181.91.32.0 logged in assigned virtual IP is 192.168.123.6, pri=6, proc_id=sessiond, msg_id=3E00-0002 |
2019-02-20 13:16:29 | FWStatus, SSL VPN user user2@mydomain.local from 192.168.1.76 logged in assigned virtual IP is 192.168.123.17, pri=6, proc_id=sessiond, msg_id=3E00-0002 |
To further filter, use an AND with EXACT phrase with either “logged in” or “logged out” to get only that particular activity.
Searching for Authentication of User
Looking for when someone authenticated to the firewall via SSLVPN, run a search on the timeframe using the search term of ” Authentication of SSLVPN user” in the EVENT section and it will list them.
Authentication of SSLVPN user [user1@mydomain.local] from 172.28.112.75 was accepted