GlobalProtect Log Fields
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
GlobalProtect Log Fields
View GlobalProtect log field information using syslog.
Format: FUTURE_USE, Receive Time, Serial
Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual
System, Event ID, Stage, Authentication Method, Tunnel Type, Source
User, Source Region, Machine Name, Public IP, Public IPv6, Private
IP, Private IPv6, Host ID, Serial Number, Client Version, Client
OS, Client OS Version, Repeat Count, Reason, Error, Description,
Status, Location, Login Duration, Connect Method, Error Code, Portal,
Sequence Number, Action Flags, High Res Timestamp, Selection Type,
Response Time, Priority, Attempted Gateways, Gateway, Device Group
Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group
Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System
Name, Device Name, Virtual System ID, Cluster Name
Field Name | Description |
---|---|
Receive Time (receive_time) | The time that the log was received at the
management plane. |
Serial # (serial) | The serial number of the firewall that generated
the log. |
Type (type) | Specifies the type of log; value is GLOBALPROTECT. |
Threat/Content Type (subtype) | Subtype of threat log. Values include the
following:
|
Generate Time (time_generated) | The time that the log was generated on the
dataplane. |
Virtual System (vsys) | The Virtual System associated with the session. |
Event ID (eventid) | A string showing the name of the event. |
Stage (stage) | A string showing the stage of the connection
(for example, before-login, login,
or tunnel). |
Authentication Method (auth_method) | A string showing the authentication type,
such as LDAP, RADIUS,
or SAML. |
Tunnel Type (tunnel_type) | The type of tunnel (either SSLVPN or IPSec). |
Source User (srcuser) | The username of the user who initiated the
session. |
Source Region (srcregion) | The region for the user who initiated the
session. |
Machine Name (machinename) | The name of the user’s machine. |
Public IP (public_ip) | The public IP address for the user who initiated
the session. |
Public IPv6 (public_ipv6) | The public IPv6 address for the user who
initiated the session. |
Private IP (private_ip) | The private IP address for the user who
initiated the session. |
Private IPv6 (private_ipv6) | The private IPv6 address for the user who
initiated the session. |
Host ID (hostid) | The unique ID that GlobalProtect assigns
to identify the host. |
Serial Number (serialnumber) | The serial number of the user’s machine
or device. |
Client Version (client_ver) | The client’s GlobalProtect app version. |
Client OS (client_os) | The client device’s OS type (for example,
Windows or Linux). |
Client OS Version (client_os_ver) | The client device’s OS version. |
Repeat Count (repeatcnt) | The number of sessions with the same source
IP address, destination IP address, application, and subtype that
GlobalProtect has detected within the last five seconds. |
Reason (reason) | A string that shows the reason for the quarantine. |
Error (error) | A string showing that error that has occurred
in any event. |
Description (opaque) | Additional information for any event that
has occurred. |
Status (status) | The status (success or failure) of the event. |
Location (location) | A string showing the administrator-defined
location of the GlobalProtect portal or gateway. |
Login Duration (login_duration) | The length of time, in seconds, the user
is connected to the GlobalProtect gateway from logging in to logging
out. |
Connect Method (connect_method) | A string showing the how the GlobalProtect
app connects to Gateway, (for example, on-demand or user-logon. |
Error Code (error_code) | An integer associated with any errors that
occurred. |
Portal (portal) | The name of the GlobalProtect portal or
gateway. |
Sequence Number (seqno) | A 64-bit log entry identifier incremented
sequentially; each log type has a unique number space. |
Action Flags (actionflags) | A bit field indicating if the log was forwarded
to Panorama. |
Gateway Selection Method (selection_type) | The connection method that is selected to
connect to the gateway.
|
SSL Response Time (response_time) | The SSL response time of the selected gateway
that is measured in milliseconds on the endpoint during tunnel setup. |
Gateway Priority (priority) | The priority order of the gateway that is
based on highest (1), high (2), medium (3), low (4), or lowest (5)
to which the GlobalProtect app can connect. |
Attempted Gateways (attempted_gateways) | The fields that are collected for each gateway
connection attempt with the gateway name, SSL response time, and
priority (see Gateway Priority in a Multiple
Gateway Configuration. Each field entry is separated by commas
such as g82-gateway,12,3. Each gateway
entry is separated by semicolons such as g83-gateway,10,2;g84-gateway,-1,1. |
Gateway Name (gateway) | The name of the gateway that is specified
on the portal configuration. |
Device Group Hierarchy (dg_hier_level_1
to dg_hier_level_4) | A sequence of identification numbers that
indicate the device group’s location within a device group hierarchy.
The firewall (or virtual system) generating the log includes the
identification number of each ancestor in its device group hierarchy.
The shared device group (level 0) is not included in this structure. If
the log values are 12, 34, 45, 0, it means that the log was generated by
a firewall (or virtual system) that belongs to device group 45,
and its ancestors are 34, and 12. To view the device group names
that correspond to the value 12, 34 or 45, use one of the following
methods: API query:
|
Virtual System Name (vsys_name) | The name of the virtual system associated
with the session; only valid on firewalls enabled for multiple virtual
systems. |
Device Name (device_name) | The hostname of the firewall on which the
session was logged. |
Virtual System ID (vsys_id) | A unique identifier for a virtual system
on a Palo Alto Networks firewall. |
Cluster Name (cluster_name) | Name of the CN-Series firewall cluster. |