With the the desire to monitor WFH traffic over a VPN, I have a question related to how to best go about doing this with L2V2.
For starters, I know of the WFH-VPN Bundle. It works great and I’ve used it several time. Most often customers are okay with a Custom Device. I did have a one-off where the customer wanted Remote L3, which was simple with the Trigger flag.
However, I have a different customer here that wants to create Device Objects around the remote (VPN client) MACs.
Looking at the docs (link), I see the “one-arm” (which is what the customer has; i.e., only the internal side of the traffic TAPped) as well as the “two-arm” - the latter of which we don’t have.
Keeping in mind that the idea here is to ensure Device Objects are created around the MACs of the clients just in case a Detection was to fire, what’s the best way to go about doing this?
If we were to use Custom Device or Remote L3, if the same IP was provided to different clients during different timeframe, associating potential Detections with the exact client requires some extra work.
I have seen Detections where User information is present but not in all cases where Detections are fired.
Lastly, I vaguely recall a forum around DHCP relay but cannot find it anymore. With this scenario in mind, the VPN Gateway is dishing out IPs. If we were to configure DHCP Relay to somewhere within the data feed, will this:
- Grant us visibility into the MAC of the VPN client, and thus created a unique Device Object for each VPN client,
- If that DHCP Relay target is non-existent, will the client actually receive an IP address?
The VPN Gateway itself is what would and should dish out the IPs in this scenario.