Background
Sessions can be recorded to track user activity for compliance purposes.
Supported Protocols
The following protocols are supported for recording:
- SSH (Web & Native)
- RDP (Web & Native)
- Telnet (Web)
- VNC (Web)
Note: Recordings cannot be configured for HTTP/S sessions.
Configuring Recorded Sessions
Step 1: Enable Recordings Per Policy.
- Navigate to the Admin Portal:
Settings > ZTNA > Policies. - Locate the Record Session field (default: off).
- Toggle Record Session to "on" to enable session recordings for the selected policy.
Step 2: Configure fields recording size and threshold.
- Navigate to
Settings > ZTNA > Configuration > Recording. - Configure the following fields:
- Estimate Per Recording (MB): Set the estimated size (in MB) of a single recording. This impacts the maximum number of concurrent recordings.
- Safety Threshold for Recording (MB): Define the minimum available storage required for the system to accept new recordings.
Example:
-
Total disk space: 100 GB.
-
Storage used: 95 GB.
-
Recording estimate: 1 GB.
-
Safety threshold: 2 GB.
- Request 1: Approved (95 GB + 1 GB = 96 GB < 98 GB).
- Request 2: Approved (96 GB + 1 GB = 97 GB < 98 GB).
- Request 3: Rejected (97 GB + 1 GB = 98 GB, which equals the safety threshold).
These two configurable fields are the core elements of the 'leasing service.' Upon a user's attempt to connect to a recorded application, the leasing service checks the estimate size against the threshold space configured and measures it against the space left in the App Gateway. Please note that the estimate storage space releases once the session ends.
Step 3: Configure User Experience for Recorded Sessions
- Go back to the relevant policy under Parameters.
- Choose one of the following options:
- Fail-Open Configuration (default): If there is insufficient space for recording, users can still access the application, but their sessions will not be recorded. Audit logs will note the session as accessed but not recorded.
- Fail-Close Configuration: If there is insufficient space for recording, users will be denied access to the application. Audit logs will reflect the failed connection attempt due to insufficient space.
Viewing Recorded Sessions
When you activate recording sessions, all sessions that are recorded for those users are recorded and stored. In the Settings > ZTNA > Account you can specify which users can access the Recordings.
Access recordings at: https://recordings.<customer-domain>.ztna.safous.com.
As noted in the screenshot above, the Recording console has a table with all of the recordings. Recordings are encoded in raw format. The Status column shows whether the recording is available. In the Action column, click on the arrow to play and the recorded session will begin to run.
Space Requirements for Recording
Estimate required storage based on:
- Number of users.
- Applications enabled for recording.
- Duration of recorded sessions.
Tip: Use the Fail-Open configuration to ensure user access if storage thresholds are not met.
Best Practices for Long-Term Storage
- Create a shared folder for long-term storage of recordings or large files.
- Move recordings from
/temp/recordingson the App Gateway to the shared folder.
Handling Blobs Saved on Hard Disk
If recordings (blobs) are stored on the hard disk:
- Run:
umount /blobs. - Delete all blobs in the
/blobsfolder. - Remount:
mount /blobs.
If errors occur (e.g., docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object):
- Run:
mount /tmp -o remount.exec.
Logs
Audit logs (Analytics > ZTNA > Audit Log) track:
- Who accessed a recording.
- Who deleted a recording.