GlobalProtect
Details Within the GlobalProtect App Troubleshooting and Diagnostic Logs
Table of Contents
Expand All
|
Collapse All
GlobalProtect Docs
-
10.1 & Later
- 10.1 & Later
- 9.1 (EoL)
-
- How Does the App Know Which Certificate to Supply?
- Set Up Cloud Identity Engine Authentication
- Configure GlobalProtect to Facilitate Multi-Factor Authentication Notifications
- Enable Delivery of VSAs to a RADIUS Server
- Enable Group Mapping
-
-
- GlobalProtect App Minimum Hardware Requirements
- Download the GlobalProtect App Software Package for Hosting on the Portal
- Host App Updates on the Portal
- Host App Updates on a Web Server
- Test the App Installation
- Download and Install the GlobalProtect Mobile App
- View and Collect GlobalProtect App Logs
-
-
- Deploy App Settings in the Windows Registry
- Deploy App Settings from Msiexec
- Deploy Scripts Using the Windows Registry
- Deploy Scripts Using Msiexec
- Deploy Connect Before Logon Settings in the Windows Registry
- Deploy GlobalProtect Credential Provider Settings in the Windows Registry
- SSO Wrapping for Third-Party Credential Providers on Windows Endpoints
- Enable SSO Wrapping for Third-Party Credentials with the Windows Registry
- Enable SSO Wrapping for Third-Party Credentials with the Windows Installer
- Deploy App Settings to Linux Endpoints
- GlobalProtect Processes to be Whitelisted on EDR Deployments
-
-
- Mobile Device Management Overview
- Set Up the MDM Integration With GlobalProtect
- Qualified MDM Vendors
-
-
- Set Up the Microsoft Intune Environment for Android Endpoints
- Deploy the GlobalProtect App on Android Endpoints Using Microsoft Intune
- Create an App Configuration on Android Endpoints Using Microsoft Intune
- Configure Lockdown Mode for Always On Connect Method on Android Endpoints Using Microsoft Intune
-
- Deploy the GlobalProtect Mobile App Using Microsoft Intune
- Configure an Always On VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a User-Initiated Remote Access VPN Configuration for iOS Endpoints Using Microsoft Intune
- Configure a Per-App VPN Configuration for iOS Endpoints Using Microsoft Intune
-
-
-
- Create a Smart Computer Group for GlobalProtect App Deployment
- Create a Single Configuration Profile for the GlobalProtect App for macOS
- Deploy the GlobalProtect Mobile App for macOS Using Jamf Pro
-
- Enable GlobalProtect System Extensions on macOS Endpoints Using Jamf Pro
- Enable GlobalProtect Network Extensions on macOS Big Sur Endpoints Using Jamf Pro
- Add a Configuration Profile for the GlobalProtect Enforcer by Using Jamf Pro 10.26.0
- Verify Configuration Profiles Deployed by Jamf Pro
- Remove System Extensions on macOS Monterey Endpoints Using Jamf Pro
- Non-Removable System Extensions on macOS Sequoia Endpoints Using Jamf Pro
- Uninstall the GlobalProtect Mobile App Using Jamf Pro
-
- Configure HIP-Based Policy Enforcement
- Configure HIP Exceptions for Patch Management
- Collect Application and Process Data From Endpoints
- Redistribute HIP Reports
-
- Identification and Quarantine of Compromised Devices Overview and License Requirements
- View Quarantined Device Information
- Manually Add and Delete Devices From the Quarantine List
- Automatically Quarantine a Device
- Use GlobalProtect and Security Policies to Block Access to Quarantined Devices
- Redistribute Device Quarantine Information from Panorama
- Troubleshoot HIP Issues
-
-
- Enable and Verify FIPS-CC Mode on Windows Endpoints
- Enable and Verify FIPS-CC Mode on macOS Endpoints
- Enable and Verify FIPS-CC Mode Using Workspace ONE on iOS Endpoints
- Enable FIPS Mode on Linux EndPoints with Ubuntu or RHEL
- Enable and Verify FIPS-CC Mode Using Microsoft Intune on Android Endpoints
- FIPS-CC Security Functions
- Resolve FIPS-CC Mode Issues
-
-
- Remote Access VPN (Authentication Profile)
- Remote Access VPN (Certificate Profile)
- Remote Access VPN with Two-Factor Authentication
- GlobalProtect Always On VPN Configuration
- Remote Access VPN with Pre-Logon
- User-Initiated Pre-Logon Connection
- GlobalProtect Multiple Gateway Configuration
- GlobalProtect for Internal HIP Checking and User-Based Access
- Mixed Internal and External Gateway Configuration
- Captive Portal and Enforce GlobalProtect for Network Access
- GlobalProtect on Windows 365 Cloud PC
-
- About GlobalProtect Cipher Selection
- Cipher Exchange Between the GlobalProtect App and Gateway
-
- Reference: GlobalProtect App Cryptographic Functions
-
- Reference: TLS Ciphers Supported by GlobalProtect Apps on macOS Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Windows Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Android 6.0.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on iOS 10.2.1 Endpoints
- Reference: TLS Ciphers Supported by GlobalProtect Apps on Chromebooks
- Ciphers Used to Set Up IPsec Tunnels
- SSL APIs
-
- View a Graphical Display of GlobalProtect User Activity in PAN-OS
- View All GlobalProtect Logs on a Dedicated Page in PAN-OS
- Event Descriptions for the GlobalProtect Logs in PAN-OS
- Filter GlobalProtect Logs for Gateway Latency in PAN-OS
- Restrict Access to GlobalProtect Logs in PAN-OS
- Forward GlobalProtect Logs to an External Service in PAN-OS
- Configure Custom Reports for GlobalProtect in PAN-OS
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
-
- Download and Install the GlobalProtect App for Windows
- Use Connect Before Logon
- Use Single Sign-On for Smart Card Authentication
- Use the GlobalProtect App for Windows
- Report an Issue From the GlobalProtect App for Windows
- Disconnect the GlobalProtect App for Windows
- Uninstall the GlobalProtect App for Windows
- Fix a Microsoft Installer Conflict
-
- Download and Install the GlobalProtect App for macOS
- Use the GlobalProtect App for macOS
- Report an Issue From the GlobalProtect App for macOS
- Disconnect the GlobalProtect App for macOS
- Uninstall the GlobalProtect App for macOS
- Remove the GlobalProtect Enforcer Kernel Extension
- Enable the GlobalProtect App for macOS to Use Client Certificates for Authentication
-
6.1
- 6.1
- 6.0
- 5.1
-
6.3
- 6.3
- 6.2
- 6.1
- 6.0
- 5.1
Details Within the GlobalProtect App Troubleshooting and Diagnostic Logs
Use the following topics to help you to identify the
root cause for connectivity, network access, or performance issues
experienced by end users by viewing the entire troubleshooting and
diagnostics log record in the Log Details window:
- General Log Details
- Portal Log Details
- Gateway Log Details
- Network Log Details
- Endpoint State Log Details
- GlobalProtect App Health Log Details
- Gateway Network Impairments
- App Access Performance
General Log Details
The following table describes the individual
log fields placed into the General logical
group of the Endpoint/GlobalProtect App Troubleshooting log.
| Log Field | Description |
|---|---|
| Generated Time | Date and time when the log was generated on
the end user’s endpoint. This string displays a timestamp value
in UTC format (default). |
| Report ID | Unique identifier that is assigned by the GlobalProtect
app to the report. |
| Report Type | Identifies the troubleshooting or diagnostics
report type generated from the end user’s endpoint. |
| Username | Username that is used to log in to the GlobalProtect. |
| Hostname | Hostname (IP address or fully qualified domain
name) for the end user’s endpoint. |
| Host ID | Unique host ID that is assigned by GlobalProtect
to identify the host. |
| Serial Number | Serial number of the end user’s endpoint. |
| Operating System | OS type of the end user’s endpoint on which
the GlobalProtect app is deployed. |
| Locale | System language of the end users endpoint on
which the GlobalProtect is deployed. |
| GlobalProtect Version | GlobalProtect app version number. |
| Error Stage | Identifies what stage in the GlobalProtect connection
workflow such as portal pre-login, gateway pre-login, gateway, get-config,
or network discovery that the portal or gateway error occurred. |
| Error Message | The last error message that triggered the report
generation. The identical error message is also displayed on the
GlobalProtect app. |
| Error Details | Additional information to help you to identify
the root cause to resolve connectivity, network access, or performance
issues from the end user’s endpoint. |
| Error Generated Time | Time when the error was generated from the
end user’s endpoint. This string displays a timestamp value in UTC
format (default). |
| Host Time Offset | Time Zone offset from Greenwich Mean Time
(GMT) in minutes of the host. For example, the value of -420 is displayed
for the PST time zone when daylight saving time is enabled. |
Portal Log Details
The following table describes the individual
log fields placed into the Portal logical
group of the Endpoint/GlobalProtect App Troubleshooting log.
| Log Field | Description |
|---|---|
| Portal Address | GlobalProtect portal that the end user last connected
to. |
| Portal Reachable | Whether the portal is reachable and accepted
the TCP connection request. |
| Portal SSL Certificate Valid | Whether the portal server certificate is valid. |
| Portal Authentication | Authentication methods used to establish
a connection with the portal (for example, the client certificate
authentication, username/password, or SAML). |
| Portal Status | Whether the GlobalProtect app was able to establish
a connection with the portal. |
| Cached Configuration | Whether the local cached portal configuration
is used (for example, when the portal is unreachable). |
| Configuration Refresh | Whether the GlobalProtect portal login is automatically
used for configuration refresh. |
| Last Connect Time | The last time the end user connected to
the portal. This string displays a timestamp value in UTC format
(default). |
Gateway Log Details
The following table describes the individual
log fields placed into the Gateway logical
group of the Endpoint/GlobalProtect App Troubleshooting log.
| Log Field | Description |
|---|---|
| Gateway Address | GlobalProtect gateway that the end user last
connected to or attempted to connect to based on failed gateway
connection reports. |
| Location | Location of the GlobalProtect gateway that the
end user connected to. You can also use this location information
to determine the end user’s proximity to the gateway. If
you do not specify a gateway location, the Explore app displays
an empty location field. |
| Gateway Reachable | Whether the gateway is reachable and accepted
the TCP connection request. |
| Attempted Gateways | List of attempted gateways before connecting
to a specific gateway. |
| Gateway SSL Certificate Valid | Whether the gateway server certificate is valid
to allow the GlobalProtect app to connect to a gateway. |
| Gateway Authentication | Authentication methods used to establish
a connection with the gateway (for example, the client certificate
authentication, username/password, or SAML). |
| Gateway Status | Whether the GlobalProtect app is able to establish
a connection with the gateway. Connected indicates
a successful VPN connection. Disconnected indicates that
the end user is not connected. RestoringVPN connection indicates
that GlobalProtect attempted to reestablish the connection after
the tunnel is disconnected. |
| IPSec Enabled | IPSec is enabled to secure the VPN tunnels between
the GlobalProtect app and the gateway. |
| IPSec Failure Reason | Failure information for unsuccessful IPSec tunnel
connection. For example, when port 4501 is specified for UDP and
blocked, the IPSec connection cannot be established. |
| SSL Failure Reason | Failure information for unsuccessful SSL tunnel
connection. For example, the SSL tunnel failed to establish a connection
or the keepalive timeout disconnected after the tunnel connection was
established. |
| Fallback to SSL Reason | Information about the GlobalProtect app
to fall back to an SSL tunnel when the IPSec tunnel cannot be established. |
| DLSA Status | Whether the No direct access
to local network option is enabled. |
| Logout Time | The last time the end user successfully logged
out of the gateway. This string displays a timestamp value in UTC
format (default). |
| Tunnel Rename | (Windows only) Whether the pre-logon
tunnel was successfully renamed to the user tunnel. |
Network Log Details
The following table describes the individual
log fields placed into the Network logical
group of the Endpoint/GlobalProtect App Troubleshooting log.
| Log Field | Description |
|---|---|
| Network Access | Whether network access is available. |
| Type | Type of network connectivity such as Ethernet,
WiFi, or Wireless Wide Area Network (WWAN) on the end user’s endpoint. |
| Internet Access | Whether internet access is available on
the end user’s endpoint. |
| Internal Network | Whether the end user’s endpoint is on the internal
network. |
| Captive Portal | Whether the captive portal is detected so that
end user must log in to a captive portal to access the internet. |
| Proxy Server | Hostname of the proxy server if the proxy is
configured. |
| Dual Stack Tunnel Interface | Whether the dual stack network of the tunnel
interface is enabled. |
| DNS Reachable | Whether the DNS servers are configured for
internet access and reachable through the physical adapter. |
| Portal/Gateway Latency | The number of milliseconds before the TCP connection
times out for the portal or gateway due to unresponsiveness. |
| GlobalProtect MTU | The GlobalProtect MTU value
that is used by the app for the virtual adapter (see GlobalProtect App Customization). |
Endpoint State Log Details
The following table describes the individual
log fields placed into the Endpoint State logical
group of the Endpoint/GlobalProtect App Troubleshooting log.
If you did not enable the GlobalProtect app to run diagnostic tests
and to include diagnostic logs, the log fields are empty for the Endpoint
State group.
| Log Field | Description |
|---|---|
| CPU Usage | The percentage of CPU used on the end user’s
endpoint. |
| GlobalProtect CPU Usage | The percentage of CPU used by the GlobalProtect
app. |
| Total Memory | Total memory in GB. |
| Memory Usage | The percentage of total memory used on the
end user’s endpoint. |
| GlobalProtect Memory Usage | The percentage of total memory used by the
GlobalProtect app. |
| Total Disk Space | The total disk space used on the end user’s endpoint. |
| Disk Available | The total disk space that is available on
the end user’s endpoint. |
GlobalProtect App Health Log Details
The following table describes the individual
log fields placed into the GlobalProtect App Health logical
group of the Endpoint/GlobalProtect App Troubleshooting log.
If you did not enable the GlobalProtect app to run diagnostic tests
and to include diagnostic logs, the log fields are empty for the GlobalProtect
App Heath group.
| Log Field | Description |
|---|---|
| Install History | Whether the GlobalProtect app was installed
for the first time, upgraded to a newer version, or downgraded to
a previous version. If end users are upgrading from GlobalProtect app
5.2.5 to a newer version, Install History displays
that they upgraded from GlobalProtect app 5.2.5. If end users are
upgrading from GlobalProtect app 5.2.4 to 5.2.5, Install
History displays Fresh Install. If
end users are downgrading from a newer version such as GlobalProtect
app 5.2.6 to 5.2.5, Install History displays
that they downgraded from GlobalProtect app 5.2.6 to 5.2.5. If end
users are downgrading to older versions of the app (5.2.4 and earlier
releases), the GlobalProtect App Log Collection for Troubleshooting feature
is not supported. |
| Enforcer Status | Whether the GlobalProtect connections for network
access is enabled or disabled on the GlobalProtect Portal but not
enforced on the portal (see GlobalProtect App Customization). |
| Privileges | (macOS only) Whether end users
are granted privileges to perform tasks such as enabling the system extensions to configure
a split tunnel based on the destination domain and application and
to enforce GlobalProtect connections for network access without
requiring kernel extensions. |
| App Tampered | (Windows and macOS only) Whether GlobalProtect
application files are altered or modified on the end user’s endpoint. |
| Jailbroken Status | (iOS and Android only) Whether these
end user endpoints have been jailbroken. |
| Last HIP Report Time | Last time that the host information report
(HIP) report was sent. This string displays a timestamp value in
UTC format (default). |
| Last Logout Time | Last time that the GlobalProtect app logged
out. This string displays a timestamp value in UTC format (default). |
| Disable History | Number of times listed when end users enabled or
disabled the GlobalProtect app. This string displays a timestamp
value in UTC format (default). |
| Split-tunnel Configuration | (Windows and macOS only) Type of split
tunnel capability that is configured based on an access route, destination
domain, application, and HTTP/HTTPS video streaming application. |
| Crash history | (Windows and macOS only) Number of
timestamps that correspond to the GlobalProtect app crashes (if
any). |
Gateway Network Impairments
The following table describes the individual
log fields placed into the Gateway Network Impairments logical
group of the Endpoint/GlobalProtect App Troubleshooting log.
If you did not enable the GlobalProtect app to run diagnostic tests
and to include diagnostic logs, the log fields are empty for the Gateway
Network Impairments group.
In order for the GlobalProtect app to run end-to-end diagnostic tests
to test the network impairments, the GlobalProtect gateway must
be allowed to send ICMP ping requests.
| Log Field | Description |
|---|---|
| Latency | Latency that is measured between the end user’s
endpoint and the Prisma Access gateway in milliseconds. |
| Jitter | Jitter that is measured between the end user’s
endpoint and the Prisma Access gateway over a period of time in
milleseconds. |
| Packet Loss | The percentage of packet loss that is used to
measure the number of packets sent over a network that failed to
reach the destination of the Prisma Access gateway. ICMP ping
requests must be allowed on the gateway interface. |
App Access Performance
You can specify up to ten HTTPS-based destination URLs
that can contain IP addresses or fully qualified domain names (for
example, https://10.10.10.10/resource.html, https://webserver/file.pdf,
or https://google.com) for which you want to run diagnostic tests by configuring
the GlobalProtect portal.
If you configured split tunneling to include or exclude
traffic based on access routes (Split TunnelAccess Route) or based on destination
domain or application (Split TunnelDomain and Application) and
run diagnostic tests and check performance tests inside or outside
the tunnel, split tunneling takes precedence over the routing table
and more specific routes take precedence over the default route.
In order for the GlobalProtect app to run end-to-end diagnostic
tests to probe the access performance, the following limitations
apply:
- On iOS, the server performance tests include only the metrics that are tested through the physical adapter.
- On iOS 14 or later, the trace route tests are not supported.
- The web server must allow ICMP ping requests for latency, jitter, and packet loss tests.
The following table describes the individual log fields placed
into the App Access Performance logical group
of the Endpoint/GlobalProtect App Troubleshooting log.
If you did not enable the GlobalProtect app to run diagnostic tests
and to include diagnostic logs, the log field is empty for the App Access
Performance group.
| Log Field | Description |
|---|---|
| Server Performance | Server performance data is tested from the
end user’s endpoint for each destination HTTPS-based web servers/applications
that you configured on the portal. The following network metrics
are tested through the physical adapter and outside of the tunnel:
|
| Server Performance | Server performance data is tested from the
end user’s endpoint for each destination HTTPS-based web servers/applications
that you configured on the portal. The following network metrics
are tested through the GlobalProtect tunnel:
|