Details Within the GlobalProtect App Troubleshooting and Diagnostic Logs
Focus
Focus
GlobalProtect

Details Within the GlobalProtect App Troubleshooting and Diagnostic Logs

Table of Contents

Details Within the GlobalProtect App Troubleshooting and Diagnostic Logs

Use the following topics to help you to identify the root cause for connectivity, network access, or performance issues experienced by end users by viewing the entire troubleshooting and diagnostics log record in the Log Details window:

General Log Details

The following table describes the individual log fields placed into the General logical group of the Endpoint/GlobalProtect App Troubleshooting log.
Log FieldDescription
Generated Time
Date and time when the log was generated on the end user’s endpoint. This string displays a timestamp value in UTC format (default).
Report ID
Unique identifier that is assigned by the GlobalProtect app to the report.
Report Type
Identifies the troubleshooting or diagnostics report type generated from the end user’s endpoint.
Username
Username that is used to log in to the GlobalProtect.
Hostname
Hostname (IP address or fully qualified domain name) for the end user’s endpoint.
Host ID
Unique host ID that is assigned by GlobalProtect to identify the host.
Serial Number
Serial number of the end user’s endpoint.
Operating System
OS type of the end user’s endpoint on which the GlobalProtect app is deployed.
Locale
System language of the end users endpoint on which the GlobalProtect is deployed.
GlobalProtect Version
GlobalProtect app version number.
Error Stage
Identifies what stage in the GlobalProtect connection workflow such as portal pre-login, gateway pre-login, gateway, get-config, or network discovery that the portal or gateway error occurred.
Error Message
The last error message that triggered the report generation. The identical error message is also displayed on the GlobalProtect app.
Error Details
Additional information to help you to identify the root cause to resolve connectivity, network access, or performance issues from the end user’s endpoint.
Error Generated Time
Time when the error was generated from the end user’s endpoint. This string displays a timestamp value in UTC format (default).
Host Time Offset
Time Zone offset from Greenwich Mean Time (GMT) in minutes of the host. For example, the value of -420 is displayed for the PST time zone when daylight saving time is enabled.

Portal Log Details

The following table describes the individual log fields placed into the Portal logical group of the Endpoint/GlobalProtect App Troubleshooting log.
Log FieldDescription
Portal Address
GlobalProtect portal that the end user last connected to.
Portal Reachable
Whether the portal is reachable and accepted the TCP connection request.
Portal SSL Certificate Valid
Whether the portal server certificate is valid.
Portal Authentication
Authentication methods used to establish a connection with the portal (for example, the client certificate authentication, username/password, or SAML).
Portal Status
Whether the GlobalProtect app was able to establish a connection with the portal.
Cached Configuration
Whether the local cached portal configuration is used (for example, when the portal is unreachable).
Configuration Refresh
Whether the GlobalProtect portal login is automatically used for configuration refresh.
Last Connect Time
The last time the end user connected to the portal. This string displays a timestamp value in UTC format (default).

Gateway Log Details

The following table describes the individual log fields placed into the Gateway logical group of the Endpoint/GlobalProtect App Troubleshooting log.
Log FieldDescription
Gateway Address
GlobalProtect gateway that the end user last connected to or attempted to connect to based on failed gateway connection reports.
Location
Location of the GlobalProtect gateway that the end user connected to. You can also use this location information to determine the end user’s proximity to the gateway.
If you do not specify a gateway location, the Explore app displays an empty location field.
Gateway Reachable
Whether the gateway is reachable and accepted the TCP connection request.
Attempted Gateways
List of attempted gateways before connecting to a specific gateway.
Gateway SSL Certificate Valid
Whether the gateway server certificate is valid to allow the GlobalProtect app to connect to a gateway.
Gateway Authentication
Authentication methods used to establish a connection with the gateway (for example, the client certificate authentication, username/password, or SAML).
Gateway Status
Whether the GlobalProtect app is able to establish a connection with the gateway.
Connected indicates a successful VPN connection. Disconnected indicates that the end user is not connected. RestoringVPN connection indicates that GlobalProtect attempted to reestablish the connection after the tunnel is disconnected.
IPSec Enabled
IPSec is enabled to secure the VPN tunnels between the GlobalProtect app and the gateway.
IPSec Failure Reason
Failure information for unsuccessful IPSec tunnel connection. For example, when port 4501 is specified for UDP and blocked, the IPSec connection cannot be established.
SSL Failure Reason
Failure information for unsuccessful SSL tunnel connection. For example, the SSL tunnel failed to establish a connection or the keepalive timeout disconnected after the tunnel connection was established.
Fallback to SSL Reason
Information about the GlobalProtect app to fall back to an SSL tunnel when the IPSec tunnel cannot be established.
DLSA Status
Whether the No direct access to local network option is enabled.
Logout Time
The last time the end user successfully logged out of the gateway. This string displays a timestamp value in UTC format (default).
Tunnel Rename
(Windows only) Whether the pre-logon tunnel was successfully renamed to the user tunnel.

Network Log Details

The following table describes the individual log fields placed into the Network logical group of the Endpoint/GlobalProtect App Troubleshooting log.
Log FieldDescription
Network Access
Whether network access is available.
Type
Type of network connectivity such as Ethernet, WiFi, or Wireless Wide Area Network (WWAN) on the end user’s endpoint.
Internet Access
Whether internet access is available on the end user’s endpoint.
Internal Network
Whether the end user’s endpoint is on the internal network.
Captive Portal
Whether the captive portal is detected so that end user must log in to a captive portal to access the internet.
Proxy Server
Hostname of the proxy server if the proxy is configured.
Dual Stack Tunnel Interface
Whether the dual stack network of the tunnel interface is enabled.
DNS Reachable
Whether the DNS servers are configured for internet access and reachable through the physical adapter.
Portal/Gateway Latency
The number of milliseconds before the TCP connection times out for the portal or gateway due to unresponsiveness.
GlobalProtect MTU
The GlobalProtect MTU value that is used by the app for the virtual adapter (see GlobalProtect App Customization).

Endpoint State Log Details

The following table describes the individual log fields placed into the Endpoint State logical group of the Endpoint/GlobalProtect App Troubleshooting log.
If you did not enable the GlobalProtect app to run diagnostic tests and to include diagnostic logs, the log fields are empty for the Endpoint State group.
Log FieldDescription
CPU Usage
The percentage of CPU used on the end user’s endpoint.
GlobalProtect CPU Usage
The percentage of CPU used by the GlobalProtect app.
Total Memory
Total memory in GB.
Memory Usage
The percentage of total memory used on the end user’s endpoint.
GlobalProtect Memory Usage
The percentage of total memory used by the GlobalProtect app.
Total Disk Space
The total disk space used on the end user’s endpoint.
Disk Available
The total disk space that is available on the end user’s endpoint.

GlobalProtect App Health Log Details

The following table describes the individual log fields placed into the GlobalProtect App Health logical group of the Endpoint/GlobalProtect App Troubleshooting log.
If you did not enable the GlobalProtect app to run diagnostic tests and to include diagnostic logs, the log fields are empty for the GlobalProtect App Heath group.
Log FieldDescription
Install History
Whether the GlobalProtect app was installed for the first time, upgraded to a newer version, or downgraded to a previous version.
If end users are upgrading from GlobalProtect app 5.2.5 to a newer version, Install History displays that they upgraded from GlobalProtect app 5.2.5. If end users are upgrading from GlobalProtect app 5.2.4 to 5.2.5, Install History displays Fresh Install.
If end users are downgrading from a newer version such as GlobalProtect app 5.2.6 to 5.2.5, Install History displays that they downgraded from GlobalProtect app 5.2.6 to 5.2.5. If end users are downgrading to older versions of the app (5.2.4 and earlier releases), the GlobalProtect App Log Collection for Troubleshooting feature is not supported.
Enforcer Status
Whether the GlobalProtect connections for network access is enabled or disabled on the GlobalProtect Portal but not enforced on the portal (see GlobalProtect App Customization).
Privileges
(macOS only) Whether end users are granted privileges to perform tasks such as enabling the system extensions to configure a split tunnel based on the destination domain and application and to enforce GlobalProtect connections for network access without requiring kernel extensions.
App Tampered
(Windows and macOS only) Whether GlobalProtect application files are altered or modified on the end user’s endpoint.
Jailbroken Status
(iOS and Android only) Whether these end user endpoints have been jailbroken.
Last HIP Report Time
Last time that the host information report (HIP) report was sent. This string displays a timestamp value in UTC format (default).
Last Logout Time
Last time that the GlobalProtect app logged out. This string displays a timestamp value in UTC format (default).
Disable History
Number of times listed when end users enabled or disabled the GlobalProtect app. This string displays a timestamp value in UTC format (default).
Split-tunnel Configuration
(Windows and macOS only) Type of split tunnel capability that is configured based on an access route, destination domain, application, and HTTP/HTTPS video streaming application.
Crash history
(Windows and macOS only) Number of timestamps that correspond to the GlobalProtect app crashes (if any).

Gateway Network Impairments

The following table describes the individual log fields placed into the Gateway Network Impairments logical group of the Endpoint/GlobalProtect App Troubleshooting log.
If you did not enable the GlobalProtect app to run diagnostic tests and to include diagnostic logs, the log fields are empty for the Gateway Network Impairments group.
In order for the GlobalProtect app to run end-to-end diagnostic tests to test the network impairments, the GlobalProtect gateway must be allowed to send ICMP ping requests.
Log FieldDescription
Latency
Latency that is measured between the end user’s endpoint and the Prisma Access gateway in milliseconds.
Jitter
Jitter that is measured between the end user’s endpoint and the Prisma Access gateway over a period of time in milleseconds.
Packet Loss
The percentage of packet loss that is used to measure the number of packets sent over a network that failed to reach the destination of the Prisma Access gateway.
ICMP ping requests must be allowed on the gateway interface.

App Access Performance

You can specify up to ten HTTPS-based destination URLs that can contain IP addresses or fully qualified domain names (for example, https://10.10.10.10/resource.html, https://webserver/file.pdf, or https://google.com) for which you want to run diagnostic tests by configuring the GlobalProtect portal.
If you configured split tunneling to include or exclude traffic based on access routes (Split TunnelAccess Route) or based on destination domain or application (Split TunnelDomain and Application) and run diagnostic tests and check performance tests inside or outside the tunnel, split tunneling takes precedence over the routing table and more specific routes take precedence over the default route.
In order for the GlobalProtect app to run end-to-end diagnostic tests to probe the access performance, the following limitations apply:
  • On iOS, the server performance tests include only the metrics that are tested through the physical adapter.
  • On iOS 14 or later, the trace route tests are not supported.
  • The web server must allow ICMP ping requests for latency, jitter, and packet loss tests.
The following table describes the individual log fields placed into the App Access Performance logical group of the Endpoint/GlobalProtect App Troubleshooting log.
If you did not enable the GlobalProtect app to run diagnostic tests and to include diagnostic logs, the log field is empty for the App Access Performance group.
Log FieldDescription
Server Performance
Server performance data is tested from the end user’s endpoint for each destination HTTPS-based web servers/applications that you configured on the portal. The following network metrics are tested through the physical adapter and outside of the tunnel:
  • out_latency—Latency that is measured in milliseconds between the end user’s endpoint and for each destination HTTPS-based web servers/applications through the physical adapter.
  • out_jitter—Jitter that is measured over a period of time in milleseconds between the end user’s endpoint and for each destination HTTPS-based web servers/applications through the physical adapter.
  • out__packet_loss—The percentage of packet loss that is used to measure the number of packets sent over a network that failed to reach each destination HTTPS-based web servers/applications through the physical adapter.
  • out_tcp_connect_time—TCP connection time that is measured to the server through the physical adapter.
  • out_first_byte_time—Time to first byte that is measured in milliseconds to connect to the server through the physical adapter. On macOS endpoints, time to first byte is calculated when the GlobalProtect client received the server certificate time and the API processing time.
  • out_download_size—Size of the file in bytes that is downloaded from the physical adapter.
  • out_download_speed—Speed that is measured in Kbps at which the file is downloaded from the physical adapter. We recommend that you use a binary file to test the download speed instead of using the web page.
  • out_trace_route—Result of the trace route that is configured on the destination through the physical adapter.
Server Performance
Server performance data is tested from the end user’s endpoint for each destination HTTPS-based web servers/applications that you configured on the portal. The following network metrics are tested through the GlobalProtect tunnel:
  • in_latency—Latency that is measured in milliseconds between the end user’s endpoint and for each destination HTTPS-based web servers/applications through the GlobalProtect tunnel.
  • in_jitter—Jitter that is measured over a period of time in milleseconds between the end user’s endpoint and for each destination HTTPS-based web servers/applications through the GlobalProtect tunnel.
  • in__packet_loss—The percentage of packet loss that is used to measure the number of packets sent over a network that failed to reach each destination HTTPS-based web servers/applications through the GlobalProtect tunnel.
  • in_tcp_connect_time—TCP connection time that is measured to the server through the GlobalProtect tunnel.
  • in_first_byte_time—Time to first byte that is measured in milliseconds to connect to the server through the GlobalProtect tunnel. On macOS endpoints, time to first byte is calculated when the GlobalProtect client received the server certificate time and the API processing time.
  • in_download_size—Size of the file in bytes that is downloaded from the GlobalProtect tunnel.
  • in_download_speed—Speed that is measured in Kbps at which the file is downloaded from the GlobalProtect tunnel. We recommend that you use a binary file to test the download speed instead of using the web page.
  • in_trace_route—Result of the trace route that is configured on the destination through the GlobalProtect tunnel.