Use WebSockets for session monitoring

You can use WebSockets to monitor connections, block lists, VPN SAs, users, routing, SSL VPNs, and neighbors.

Steps

  1. Login to the SMC API with the login method.
  2. Transfer the session cookie to the WebSocket session or share the socket itself.
  3. Connect to the WebSocket using the following URL: 
    ws://[server]:[port]/[version]/monitoring/session/socket
  4. To query for specific session monitoring information and fetch the result, send a command with the following syntax: 
    {query":{"definition":"SESSION NAME","target":" ENGINE NAME"}, "fetch":{}, "format":{"type":"texts"}}

    Replace SESSION NAME with one of these session monitoring definitions:

    • CONNECTIONS (established connections)
    • BLOCK_LIST (block listed connections)
    • VPN_SA (established security associations)
    • USERS (authenticated users)
    • ROUTING
    • SSLVPNV2 (SSL VPN users logged on the portal)
    • ACTIVE_ALERTS
    • NEIGHBORS

    Replace ENGINE NAME with the name of the NGFW Engine to query.

    For the ACTIVE_ALERTS session monitoring definition, replace ENGINE NAME with the name of the administrative Domain to query.

Example

For example, to open a channel to monitor the BLOCK_LIST on the Plano FW NGFW Engine and output the result as text, send the command:

{"query": {"definition":"BLOCK_LIST","target":"Plano FW"}, "fetch":{}, "format":{"type":"texts"}}

The resulting entries contain a delta_key value. The delta_key value identifies an event, such as a block listed connection. Several entries can be associated with an event. Each entry corresponds to a state of the event, such as creation (added), update, and delete.

Additionally, each BLOCK_LIST entry contains a reference:

“block_list_href":http://localhost:8082/5.9/elements/single_fw/1649/block_list/MQ==

This reference allows you to retrieve a specific BLOCK_LIST entry and delete it using the SMC API:

>>>{"fetch":-
1616514795,"records":{"added":[{"SessionEvent":"1","BlackListEntrySourcePort":"1024","CompId":
"Plano FW node 1","ReceptionTime":"2015-05-29 12:35:15",
"block_list_href":"http://localhost:8082/7.0/elements/single_fw/1649/block_list/MQ==",
"DataType":"7","DataTags":"INFO: BLOCK_LIST Monitoring","BlackListEntryDestinationIp":"1.1.1.0",
"BlackListEntryDuration":"0","BlackListEntryProtocol":"TCP","SenderDomain":"Shared Domain",
"BlackListEntrySourceIp":"1.1.1.0","BlackListEntryId":"MQ==","NodeId":"Plano FW node 1",
"BlackListEntrySourceIpMask":"255.255.255.0","delta_key":"AgE=",
"BlackListEntrySourcePortRange":"65535","RefEvent":"2015-05-29 12:35:12",
"Timestamp":"2015-05-29 12:35:15","BlackListEntryDestinationIpMask":"255.255.255.0",
"blackListEntryDestinationPort":"80"}],"updated":[],"deleted":[]}}