To base a report on an predefined template, click
Load
Template and choose the template. You can then edit
the template and save it as a custom report.
If you choose to build the report from scratch, select
the database you want to use for the report as
Device
GlobalProtect Log.
Select the
Scheduled check box
to run the report each night. The report is then available for viewing
in the
Reports column on the side.
Define the filtering criteria. Select the
Time
Frame, the
Sort By order,
Group
By preference, and select the columns that must display
in the report.
(
Optional) Select the
Query Builder attributes
if you want to further refine the selection criteria. To build a
report query, specify the following and click
Add.
Repeat as needed to construct the full query.
Connector—Choose the connector
(and/or) to precede the expression you are adding.
Negate—Select the check box to interpret
the query as a negation. If, for example, you choose to match entries
in the last 24 hours and/or are originating from the untrust zone,
the negate option causes a match on entries that are not in the
past 24 hours and/or are not from the untrust zone.
Attribute—Choose a data element. The
available options depend on the choice of database.
Operator—Choose the criterion to determine
whether the attribute applies (such as =). The available options
depend on the choice of database.
Value—Specify the attribute value
to match.
For example, to build a report for GlobalProtect
portal users with unsuccessful login attempts, use a query similar
to the following:
((eventid eq 'portal-prelogin') or (eventid eq 'portal-auth') or (eventid eq 'portal-gen-cookie') or (eventid eq 'portal-getconfig')) and (status eq 'failure')
To test the report settings, select
Run Now.
Modify the settings as required to change the information that is
displayed in the report.