WALLIX CERTIFIED PROFESSIONAL

WCP
SESSION AUDIT
CURRENT
SESSION
CURRENT SESSION

© Copyright WALLIX 4
CURRENT SESSION
▪ Display the current connections

© Copyright WALLIX 5
CURRENT SESSION
▪ Close running connections

RDP

SSH

© Copyright WALLIX 6
SESSION
HISTORY
 SESSION HISTORY Session ended
successfully

▪ Audit
Session killed by
admin

RAWTCPIP : Download
pcap file of captured
packets Session interrupted
by the Bastion
SSH: Download session
record (ttyrec format)

SSH: Download session

record (txt format)

Display session
recording

© Copyright WALLIX 8
SESSION HISTORY – RDP SESSION

© Copyright WALLIX 9
SESSION HISTORY – RDP SESSION

Display the video part

The parts of the video session

© Copyright WALLIX 10
SESSION HISTORY – RDP SESSION

Download the metadata of all the session

Download the video part

A part of the session metadata

© Copyright WALLIX 11
SESSION HISTORY – RDP SESSION

ttyrec format, read with ttyplay Text format

© Copyright WALLIX 12
SESSION HISTORY – SSH SESSION

© Copyright WALLIX 13
SESSION HISTORY – SSH SESSION

© Copyright WALLIX 14
SESSION HISTORY – RAWTCPIP SESSION

© Copyright WALLIX 15
APPROVAL
HISTORY
APPROVAL HISTORY

© Copyright WALLIX 17
APPROVAL HISTORY

© Copyright WALLIX 18
ACCOUNT
HISTORY
ACCOUNT HISTORY

© Copyright WALLIX 20
AUTHENTICATION
HISTORY
AUTHENTICATION HISTORY

© Copyright WALLIX 22
CONNECTION
STATISTICS
CONNECTION STATISTICS

© Copyright WALLIX 24
CONNECTION STATISTICS

© Copyright WALLIX 25
CONNECTION STATISTICS

© Copyright WALLIX 26
SESSION
RECORDING
PARAMETERS
SESSION RECORDING PARAMETERS
▪ Stop/Start Session recording

© Copyright WALLIX 28
SESSION RECORDING PARAMETERS

© Copyright WALLIX 29
SESSION RECORDING PARAMETERS
▪ Remote Storage

© Copyright WALLIX 30
MANAGING THE
SESSION
RECORDS
CLI COMMANDS
▪ WABSessionLogExport: Export and/or purge session recordings

• -p: do not remove sessions

• -a: do not create archive file
• --sessions SESSION: only consider session(s) with the given session ID(s)
• -s DATE: only consider sessions initiated after given date YYYY-MM-DD
• -e DATE: only consider sessions initiated before given date YYYY-MM-DD
• --protocol PROTOCOL: only consider sessions with the given target protocol(s) RDP, SSH
• --target TARGET: only consider sessions to specified target(s)
• --target-group TARGET_GROUP: only consider sessions to targets presently in the specified
group(s)
• --user USER: only consider sessions from specified user(s)
• --user-group USER_GROUP: only consider sessions from users presently in the specified group(s)
• --passphrase PASSPHRASE: the passphrase used to encrypt the archive file
• -h : display command help

© Copyright WALLIX 32
CLI COMMANDS
▪ Example of exporting Logs

© Copyright WALLIX 33
CLI COMMANDS
▪ WABSessionLogImport : Import archived session recordings
• -f FILE: Import this archive file.

▪ Example of importing a log archive file

© Copyright WALLIX 34
LAB3: SESSION AUDIT
Internet

Domain: wallix.lab WALLIX LAB ESXi

Debian 9: Windows server 2016
• OU: organizationX
• Splunk • AD server
• User: admindomainX
• Mail Server • DNS server
• Group: groupX
• XRDP • FTP server
• User: admindomainX2
• VNC server 192.168.0.254 • User: admindomainX3
• Telnet Server Domain • User: admindomainX4
• FTP server
Controller
Linux Server Windows Server User: User: User: User: User: User:
2016 adminlinux3 adminlocal3 adminlinux2 adminlocal2 adminlinux1 adminlocal1

192.168.0.42 192.168.0.41 192.168.0.32 192.168.0.31 192.168.0.22 192.168.0.21 192.168.0.12 192.168.0.11

Bastion
192.168.0.40 192.168.0.30 192.168.0.20 192.168.0.10
Trainee4 Trainee3 Trainee2 Trainee1
Users: Users: Users: Users:
adminbastion4 adminbastion3 adminbastion2 adminbastion1
userbastion4 userbastion3 userbastion2 userbastion1
approver4 approver3 approver2 approver1
auditor4 auditor3 auditor2 auditor1
192.168.0.45 192.168.0.35 192.168.0.25 192.168.0.15

© Copyright WALLIX 35