Configure Custom Reports for GlobalProtect in PAN-OS
Focus
Focus
GlobalProtect

Configure Custom Reports for GlobalProtect in PAN-OS

Table of Contents

Configure Custom Reports for GlobalProtect in PAN-OS

You can configure custom reports for GlobalProtect in PAN-OS.
You can configure custom reports based on GlobalProtect logs that the firewall generates immediately (on demand) or on schedule (each night).
  1. Select MonitorManage Custom Reports.
  2. Click Add and then enter a Name for the report.
  3. To base a report on an predefined template, click Load Template and choose the template. You can then edit the template and save it as a custom report.
  4. If you choose to build the report from scratch, select the database you want to use for the report as Device GlobalProtect Log.
  5. Select the Scheduled check box to run the report each night. The report is then available for viewing in the Reports column on the side.
  6. Define the filtering criteria. Select the Time Frame, the Sort By order, Group By preference, and select the columns that must display in the report.
  7. ( Optional) Select the Query Builder attributes if you want to further refine the selection criteria. To build a report query, specify the following and click Add. Repeat as needed to construct the full query.
    • Connector—Choose the connector (and/or) to precede the expression you are adding.
    • Negate—Select the check box to interpret the query as a negation. If, for example, you choose to match entries in the last 24 hours and/or are originating from the untrust zone, the negate option causes a match on entries that are not in the past 24 hours and/or are not from the untrust zone.
    • Attribute—Choose a data element. The available options depend on the choice of database.
    • Operator—Choose the criterion to determine whether the attribute applies (such as =). The available options depend on the choice of database.
    • Value—Specify the attribute value to match.
    For example, to build a report for GlobalProtect portal users with unsuccessful login attempts, use a query similar to the following:
    ((eventid eq 'portal-prelogin') or (eventid eq 'portal-auth') or (eventid eq 'portal-gen-cookie') or (eventid eq 'portal-getconfig')) and (status eq 'failure')
  8. To test the report settings, select Run Now. Modify the settings as required to change the information that is displayed in the report.
  9. Click OK to save the custom report.