Event Descriptions for the GlobalProtect Logs in PAN-OS
Focus
Focus
GlobalProtect

Event Descriptions for the GlobalProtect Logs in PAN-OS

Table of Contents

Event Descriptions for the GlobalProtect Logs in PAN-OS

Event descriptions for the GlobalProtect portal, gateway, and Clientless VPN logs in PAN-OS.
Use the following descriptions to help you to identify GlobalProtect portal, gateway, or Clientless VPN events when viewing GlobalProtect logs in PAN-OS at MonitorLogsGlobalProtect:

Portal Event Details

The following table describes log events related to the GlobalProtect portal.
EventDescription
portal-auth
Indicates a GlobalProtect portal authentication stage. See Status for results.
portal-gen-cookie
Indicates a GlobalProtect portal authentication override cookie generation event. See Status for results.
portal-getconfig
Indicates a GlobalProtect portal event for generating GlobalProtect client configuration, such as dynamic app configuration or gateway list.
portal-prelogin
Indicates a GlobalProtect portal pre-login event. As a part of the event, the GlobalProtect client does the following:
  • Certificate: validates whether a client certificate is valid.
  • SAML: generates a SAML request and sends it back to a GlobalProtect client.
  • Kerberos: triggers a Kerberos authentication process.

Gateway Event Details

The following table describes log events related to the GlobalProtect gateway.
EventDescription
gateway-agent-msg
Indicates a GlobalProtect gateway event for a message received from the GlobalProtect client, such as GlobalProtect client disable reason message.
gateway-auth
Indicates GlobalProtect gateway authentication stage. See Status for results.
gateway-config-release
Indicates a GlobalProtect gateway event for configuration release, such as remove ip-user mapping or remove tunnel.
gateway-connected
Indicates a GlobalProtect gateway event for a GlobalProtect client successful connection for tunnel or non-tunnel mode.
gateway-framed-ip
Indicates a GlobalProtect gateway event where the gateway retrieved a framed IPv4 address from RADIUS for a GlobalProtect client.
gateway-getconfig
Indicates a GlobalProtect gateway event for generating GlobalProtect client configuration, such as split-tunnel, virtual IP, or tunnel information.
gateway-hip-check
Indicates a GlobalProtect gateway event to confirm whether a GlobalProtect HIP report was updated or not, and to refresh ip-user mapping. Refer to the description for latency reported information. Examples include items such as HIP report is not needed or HIP report is needed.
gateway-hip-report
Indicates a GlobalProtect gateway event to confirm whether a HIP report was received from a GlobalProtect client, to update ip-user mapping, and to enforce HIP policy.
gateway-inheritance
Indicates a GlobalProtect gateway event where a GlobalProtect gateway is using a dynamic IP address and the IP address changed.
gateway-logout
Indicates a GlobalProtect gateway event for a GlobalProtect client logout.
gateway-prelogin
Indicates a GlobalProtect gateway event. As a part of the event, the GlobalProtect client does the following:
  • Certificate: validates whether a client certificate is valid.
  • SAML: generates a SAML request and sends it back to a GlobalProtect client.
  • Kerberos: triggers a Kerberos authentication process.
gateway-register
Indicates GlobalProtect client user information, such as username, domain-name, computer name, hostid, serial number, public ip, or login time is added on the gateway.
gateway-setup-ipsec
Indicates a GlobalProtect gateway event for setting up an IPSec VPN tunnel.
gateway-setup-ssl
Indicates a GlobalProtect gateway event for setting up a SSL VPN tunnel.
gateway-switch-to-ssl
Indicates a GlobalProtect gateway tunnel switch from IPSec to SSL considering IPSec tunnel was not successful.
gateway-tunnel-latency
Indicates GlobalProtect gateway latency provided by a GlobalProtect client. Refer to description for latency reported information, such as Pre-tunnel latency: 10ms or Post-tunnel latency: 1ms
quarantine-add
Indicates a GlobalProtect gateway event for a GlobalProtect client, confirming that the client is added to the quarantine list.
quarantine-delete
Indicates a GlobalProtect gateway event for a GlobalProtect client, confirming that the client is removed from the quarantine list.

Clientless VPN Event Details

The following table describes log events related to the GlobalProtect Clientless VPN.
EventDescription
clientlessvpn-login
Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN login.
clientlessvpn-logout
Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN logout.
clientlessvpn-prelogin
Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN. As a part of the event, the following takes place:
  • Certificate: validate whether a client certificate is valid.
  • SAML: generate a SAML request and send it back to a GlobalProtect client.
  • Kerberos: trigger a Kerberos authentication process.