Event Descriptions for the GlobalProtect Logs in PAN-OS
Event descriptions for the GlobalProtect portal, gateway,
and Clientless VPN logs in PAN-OS.
Use the following descriptions to help you to identify
GlobalProtect portal, gateway, or Clientless VPN events when viewing
GlobalProtect logs in PAN-OS at MonitorLogsGlobalProtect:
The following table describes log events
related to the GlobalProtect portal.
Event
Description
portal-auth
Indicates a GlobalProtect portal authentication
stage. See Status for results.
portal-gen-cookie
Indicates a GlobalProtect portal authentication
override cookie generation event. See Status for results.
portal-getconfig
Indicates a GlobalProtect portal event for generating
GlobalProtect client configuration, such as dynamic app configuration
or gateway list.
portal-prelogin
Indicates a GlobalProtect portal pre-login event.
As a part of the event, the GlobalProtect client does the following:
Certificate: validates whether a client certificate is valid.
SAML: generates a SAML request and sends it back to a GlobalProtect
client.
Kerberos: triggers a Kerberos authentication process.
Gateway Event Details
The following table describes log events
related to the GlobalProtect gateway.
Event
Description
gateway-agent-msg
Indicates a GlobalProtect gateway event
for a message received from the GlobalProtect client, such as GlobalProtect
client disable reason message.
gateway-auth
Indicates GlobalProtect gateway authentication
stage. See Status for results.
gateway-config-release
Indicates a GlobalProtect gateway event
for configuration release, such as remove ip-user mapping or remove
tunnel.
gateway-connected
Indicates a GlobalProtect gateway event
for a GlobalProtect client successful connection for tunnel or non-tunnel
mode.
gateway-framed-ip
Indicates a GlobalProtect gateway event where
the gateway retrieved a framed IPv4 address from RADIUS for a GlobalProtect client.
gateway-getconfig
Indicates a GlobalProtect gateway event
for generating GlobalProtect client configuration, such as split-tunnel,
virtual IP, or tunnel information.
gateway-hip-check
Indicates a GlobalProtect gateway event
to confirm whether a GlobalProtect HIP report was updated or not,
and to refresh ip-user mapping. Refer to the description for latency
reported information. Examples include items such as HIP report
is not needed or HIP report is needed.
gateway-hip-report
Indicates a GlobalProtect gateway event
to confirm whether a HIP report was received from a GlobalProtect
client, to update ip-user mapping, and to enforce HIP policy.
gateway-inheritance
Indicates a GlobalProtect gateway event where
a GlobalProtect gateway is using a dynamic IP address and the IP
address changed.
gateway-logout
Indicates a GlobalProtect gateway event
for a GlobalProtect client logout.
gateway-prelogin
Indicates a GlobalProtect gateway event. As
a part of the event, the GlobalProtect client does the following:
Certificate: validates whether a client certificate is valid.
SAML: generates a SAML request and sends it back to a GlobalProtect
client.
Kerberos: triggers a Kerberos authentication process.
gateway-register
Indicates GlobalProtect client user information,
such as username, domain-name, computer name, hostid, serial number,
public ip, or login time is added on the gateway.
gateway-setup-ipsec
Indicates a GlobalProtect gateway event
for setting up an IPSec VPN tunnel.
gateway-setup-ssl
Indicates a GlobalProtect gateway event
for setting up a SSL VPN tunnel.
gateway-switch-to-ssl
Indicates a GlobalProtect gateway tunnel switch
from IPSec to SSL considering IPSec tunnel was not successful.
gateway-tunnel-latency
Indicates GlobalProtect gateway latency provided
by a GlobalProtect client. Refer to description for latency reported
information, such as Pre-tunnel latency: 10ms or Post-tunnel latency:
1ms
quarantine-add
Indicates a GlobalProtect gateway event
for a GlobalProtect client, confirming that the client is added
to the quarantine list.
quarantine-delete
Indicates a GlobalProtect gateway event
for a GlobalProtect client, confirming that the client is removed
from the quarantine list.
Clientless VPN Event Details
The following table describes log events
related to the GlobalProtect Clientless VPN.
Event
Description
clientlessvpn-login
Indicates a GlobalProtect portal event for GlobalProtect
Clientless VPN login.
clientlessvpn-logout
Indicates a GlobalProtect portal event for GlobalProtect
Clientless VPN logout.
clientlessvpn-prelogin
Indicates a GlobalProtect portal event for GlobalProtect
Clientless VPN. As a part of the event, the following takes place:
Certificate: validate whether a client certificate is valid.
SAML: generate a SAML request and send it back to a GlobalProtect
client.
Kerberos: trigger a Kerberos authentication process.
