L2 Discovery for VPN Clients

With the the desire to monitor WFH traffic over a VPN, I have a question related to how to best go about doing this with L2V2.

For starters, I know of the WFH-VPN Bundle. It works great and I’ve used it several time. Most often customers are okay with a Custom Device. I did have a one-off where the customer wanted Remote L3, which was simple with the Trigger flag.

However, I have a different customer here that wants to create Device Objects around the remote (VPN client) MACs.

Looking at the docs (link), I see the “one-arm” (which is what the customer has; i.e., only the internal side of the traffic TAPped) as well as the “two-arm” - the latter of which we don’t have.

Keeping in mind that the idea here is to ensure Device Objects are created around the MACs of the clients just in case a Detection was to fire, what’s the best way to go about doing this?

If we were to use Custom Device or Remote L3, if the same IP was provided to different clients during different timeframe, associating potential Detections with the exact client requires some extra work.

I have seen Detections where User information is present but not in all cases where Detections are fired.

Lastly, I vaguely recall a forum around DHCP relay but cannot find it anymore. With this scenario in mind, the VPN Gateway is dishing out IPs. If we were to configure DHCP Relay to somewhere within the data feed, will this:

  1. Grant us visibility into the MAC of the VPN client, and thus created a unique Device Object for each VPN client,
  2. If that DHCP Relay target is non-existent, will the client actually receive an IP address?

The VPN Gateway itself is what would and should dish out the IPs in this scenario.

Hi @emilh,

The VPN discovery feature does two things:

  • Automatically discovers clients that are originating from a VPN gateway
  • Automatically correlates the internal client IP to the external origin IP

Typically, the VPN gateway routes between a VPN subnet and the corporate LAN. The VPN subnet is often just a tunnel with one end on a user device and the other end at the VPN gateway. Unfortunately, there is no visibility into the MAC of the user device. As you note, internal client IPs can be reassigned, so it’s important to pay close attention to the time selector.

I hope this helps!