question

kennyparsons-m avatar image
0 Votes"
kennyparsons-m asked GitaraniSharmaMSFT-4262 commented

Log or Capture Thumbprints of successful connections

I am trying to audit certificates that we've generated to access our Virtual Network Gateway P2S VPN. Previous owners of the VNG did not track the certificates and we have no way of knowing what certificates are in the wild with valid thumbprints (we allow the root certificate, so if it's signed by the root, it's valid).

So my first thought was to use the metrics and azure resource queries to find successful connections. I used one of the example queries to pull successful connections, but the message only returns the username. It does not show Thumbprints for the connection authentication.

How can I do this audit? I don't want to have to revoke the root cert and resign everyone's client certificate. Is there a way to retrieve the thumbprint of the certificate used to create successful connections?

azure-virtual-networkazure-vpn-gateway
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @kennyparsons-m ,

Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

AFAIK, for VPN gateway, we only have Point to site VPN session management available via Azure portal and P2S Connection Count available via Azure Monitor.
Refer : https://docs.microsoft.com/en-us/azure/vpn-gateway/p2s-session-management
https://docs.microsoft.com/en-us/azure/vpn-gateway/monitor-vpn-gateway

Advanced monitoring for P2S VPN is available for VPN clients connected to Azure Virtual WAN.
Refer : https://docs.microsoft.com/en-us/azure/virtual-wan/monitor-point-to-site-connections

I will check with the Azure VPN backend team regarding your requirement and will keep you posted.

Regards,
Gita

0 Votes 0 ·

1 Answer

GitaraniSharmaMSFT-4262 avatar image
0 Votes"
GitaraniSharmaMSFT-4262 answered GitaraniSharmaMSFT-4262 commented

Hello @kennyparsons-m ,

I understand that you would like to log or capture Thumbprints of successful Azure P2S VPN connections for auditing purpose.

I discussed this requirement with the Azure VPN Product Group team and below are the steps provided by them to see the thumbprints used in auth flows:

You can check the P2SDiagnosticLog to see the thumbprints used in auth flows. You can perform log analysis by following the first 6 steps in the below doc:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-setup-alerts-virtual-network-gateway-log

Once you have enabled Diagnostics and configured the Log Analytics, follow the steps below:


1) Navigate to the Log Analytics Workspace you configured in the Azure Portal
2) Click on Logs
3) Paste the following replacing NameOfGateway with the name of your gateway in the Query window and click run

 AzureDiagnostics
 | where Category == "P2SDiagnosticLog" and Resource == "NameOfGateway" and Message contains "Received client certificate with Username"
 | extend Thumbprint = split(Message,"Thumbprint=",1)
 | extend Thumbprint = tostring(Thumbprint[0])
 | distinct  Thumbprint, Resource

4) Compare the certificate chain for the certificates with the thumbprints from the logs against your current and previous Root Certificate

Kindly let us know if the above helps or you need further assistance on this issue.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @GitaraniSharmaMSFT-4262

We had a log analytics workspace setup and configured the VNG to send tunnel Diagnostic logs for quite some time.

law_diagnostic_setup
However, when i try to query those logs, I get nothing for the last 7 days, which I personally know I have connected to this gateway, as well as several others.

law_query

Not sure what else to try. Any ideas?

0 Votes 0 ·

Hello @kennyparsons-m ,

Thank you for the update.

Let me check regarding this issue and get back to you.

Regards,
Gita

0 Votes 0 ·

Hello @kennyparsons-m ,

Below are few things that I would request you to try:

In the provided query, try changing the gateway name (Resource == "NameOfGateway") to all Uppercase and run the query again.
If the above doesn't show any records, try the below:


Run a simple query:

 AzureDiagnostics | Take 10

If you see records from the above query then run the following to see if there are any P2S connections.

 AzureDiagnostics | where Category == "P2SDiagnosticLog"

If you see records using the above query, start adding the other conditions. (Resource == "NameOfGateway" and Message contains "Received client certificate with Username")

Regards,
Gita

0 Votes 0 ·

Hello @kennyparsons-m ,

Could you please provide an update on this post?

Kindly let us know if the above helps or you need further assistance on this issue.

Regards,
Gita

0 Votes 0 ·

Hello @kennyparsons-m ,

I'm following up to check if you have any updates on this issue.
Kindly let us know if the above helps or you need further assistance on this issue.

Regards,
Gita

0 Votes 0 ·

@GitaraniSharmaMSFT-4262 I did those steps and still got no results. So this is still unsolved. However, I am devoting more time to managing user access outside of Azure, as Azure has no P2S user control when using certificates. If I can lock down external certificates, what Azure can (or in this case: can't) do would no longer matter much.

0 Votes 0 ·

Hello @kennyparsons-m ,

Thank you for the update.

It sounds weird that you were unable to get any results from the diagnostic logs. In case, you would like to investigate this issue, we may need a support request to look into the backend logs. So if you have a support plan, I request you file a support ticket, else please do let us know, we will try and help you get a one-time free technical support.

Regards,
Gita

0 Votes 0 ·