Background
Sessions can be recorded in order to track the activity of users for compliance purposes.
Supported Protocols
Below protocols are supported for recording:
- SSH (Web & Native)
- RDP (Web & Native)
- Telnet (Web)
- VNC (Web)
Please note that you cannot configure recordings for HTTP/S sessions.
Configuring Recorded Sessions
To configure web-based SSH, RDP, VNC, Telnet sessions, or RDP native sessions, follow the steps below.
Step 1: Configure recordings per policy.
Navigate to the Admin Portal, Settings > ZTNA > Policies where you will find a Record Session field. The default for that field is toggled off. If you wish to record sessions related to that policy, toggle the Record Session field on.
Step 2: Configure fields recording size and threshold.
Under the Settings > ZTNA > Configuration > Recording, there are three fields, two of which require configuration:
-
Estimate per recording in megabytes: This is the estimate for a single recording in MB. The recording estimate has a direct impact on the maximum number of concurrent recordings.
-
Safety threshold for the recording leaser in megabytes: The minimum amount of available storage space so that the system will be considered safe and will be willing to lease more storage.
As an example, suppose the total disk storage is 100GB, but there is 95GB taken. The admin configured the recording estimate to 1GB, and the safety threshold is configured to 2GB. If there are 3 recording requests made:
-
The first request will be approved since 95GB+1GB=96GB < 98GB=100GB-2GB.
-
The second request will be approved since 96GB+1GB=97GB < 98GB=100GB-2GB.
-
The third request will be rejected since 97GB+1GB=98GB which is not less than 98GB=100GB-2GB.
These two configurable fields are the core elements of the 'leasing service.' Upon a user's attempt to connect to a recorded application, the leasing service checks the estimate size against the threshold space configured and measures it against the space left in the App Gateway. Please note that the estimate storage space releases once the session ends.
Step 4: Configuring the user experience for recorded sessions. Navigate back to the policy that require recorded sessions. Under Parameters, there are two configurable options:
-
The fail-open configuration: This is the default configuration, and when this is enabled (toggled on), if the user attempts to connect with an application that is set to record, yet the App Gateway estimates that there is insufficient space for the recording (based on the Administrator's estimates and threshold configuration in Step 3), the user can still access the application but there will be no session recording. Audit logs reflect that a session was accessed but not recorded.
-
The fail-close configuration: If this configuration is chosen, when a user attempts to connect with an application that is set to record, yet the App Gateway estimates that there is insufficient space for the recording, the user will be barred from connecting to the application. The Audit logs will reflect that a user was unable to connect to the session because there was insufficient space.
As noted, the configuration chosen by the Administrator impacts the way users are "treated" upon their initial connection. If the Administrator selects the fail/close option (instead of the default fail/open) the user will be barred from connecting and for this reason, the fail/open configuration is the default.
Viewing Recorded Sessions
When you activate recording sessions, all sessions that are recorded for those users are recorded and stored. In the Settings > ZTNA > Account you can specify which users can access the Recordings.
The link to the Recoding is accessed with this URL: https://recordings.<customer-domain>.ztna.safous.com) and it looks like this:
As noted in the screenshot above, the Recording console has a table with all of the recordings. Recordings are encoded in raw format. The Status column shows whether the recording is available. In the Action column, click on the arrow to play and the recorded session will begin to run.
You should estimate recordings sizes and thresholds based on the number of users, the number of applications selected for recording, and how long recorded sessions last. The more users you have and the longer your users stay on a recorded application, the more disk space you will need. If you ignore the safety threshold or recording estimate, and you have selected the fail-close configuration, your users will not be able to access the application.
Make Use of Shared Folders
Create a shared folder that functions as long-term storage for videos or other large files, remove the recording from the /temp/recordings folder on the App Gateway and place it in the shared folder.
If the mount does not work and blobs (which hold recordings) are saved on your hard disk, follow these steps:
-
Step 1: umount /blobs
-
Step 2: delete all blobs inside the blobs folder
-
Step 3: mount /blobs
-
If you receive docker-compose error (e.g., docker-compose: error while loading shared libraries: libz.so.1: failed to map segment from shared object), run the command below and retry: mount /tmp -o remount.exec.
Logs
The Audit logs (Analytics > ZTNA > Audit Log) reflect who watched the recording or deleted a recording.