GlobalProtect App Troubleshooting
Focus
Focus
Strata Logging Service

GlobalProtect App Troubleshooting

Table of Contents

GlobalProtect App Troubleshooting

GlobalProtect troubleshooting logs contain information about the GlobalProtect client and its host to help app users resolve issues.
See the following for information related to supported log formats:
GLOBALPROTECT APP TROUBLESHOOTING Field
(Display Name)
Description
app_tampered
(APP TAMPERED)
Indicates whether application files on the endpoint were tampered with or modified.
CEF field name: PanOSAppTampered
EMAIL field name: AppTampered
HTTPS field name: AppTampered
LEEF field name: AppTampered
captive_portal
(CAPTIVE PORTAL)
Indicates whether the endpoint is behind a captive portal.
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal
cpu_usage
(CPU USAGE)
The percentage of overall CPU usage on the endpoint.
CEF field name: PanOSCPUUsage
EMAIL field name: CPUUsage
HTTPS field name: CPUUsage
LEEF field name: CPUUsage
cpu_usage_gp
(GLOBALPROTECT CPU USAGE)
The percentage of the endpoint's CPU resources used by GlobalProtect.
EMAIL field name: GlobalProtectCPUUsage
HTTPS field name: GlobalProtectCPUUsage
LEEF field name: GlobalProtectCPUUsage
crash_history
(CRASH HISTORY)
A record of any GlobalProtect application crashes.
CEF field name: PanOSCrashHistory
EMAIL field name: CrashHistory
HTTPS field name: CrashHistory
LEEF field name: CrashHistory
debug_log_file_name
(DEBUG LOG FILE)
The name of a file containing debug logs.
CEF field name: PanOSDebugLogFile
EMAIL field name: DebugLogFile
HTTPS field name: DebugLogFile
LEEF field name: DebugLogFile
disable_history
(DISABLE HISTORY)
A record of the times that GlobalProtect was disabled.
CEF field name: PanOSDisableHistory
EMAIL field name: DisableHistory
HTTPS field name: DisableHistory
LEEF field name: DisableHistory
disk_available
(DISK AVAILABLE)
The disk space remaining on the endpoint.
CEF field name: PanOSDiskAvailable
EMAIL field name: DiskAvailable
HTTPS field name: DiskAvailable
LEEF field name: DiskAvailable
disk_total
(TOTAL DISK SPACE)
The total disk space on the endpoint.
CEF field name: PanOSTotalDiskSpace
EMAIL field name: TotalDiskSpace
HTTPS field name: TotalDiskSpace
LEEF field name: TotalDiskSpace
dns_reachable
(DNS REACHABLE)
Indicates whether the endpoint can reach internet DNS servers.
CEF field name: PanOSDNSReachable
EMAIL field name: DNSReachable
HTTPS field name: DNSReachable
LEEF field name: DNSReachable
dual_stack_network
(DUAL STACK TUNNEL INTERFACE)
Indicates whether the GlobalProtect interface is both IPv4 and IPv6 compatible.
EMAIL field name: DualStackTunnelInterface
HTTPS field name: DualStackTunnelInterface
LEEF field name: DualStackTunnelInterface
enforcer_status
(ENFORCER STATUS)
Indicated whether GlobalProtect is enforced for network access.
CEF field name: PanOSEnforcerStatus
EMAIL field name: EnforcerStatus
HTTPS field name: EnforcerStatus
LEEF field name: EnforcerStatus
error
(ERROR MESSAGE)
The last error that occurred in GlobalProtect.
Syslog field name: Syslog Field Order
CEF field name: reason
EMAIL field name: ErrorMessage
HTTPS field name: ErrorMessage
LEEF field name: ErrorMessage
error_details
(ERROR DETAILS)
Details that help troubleshoot an error.
Syslog field name: Syslog Field Order
CEF field name: PanOSErrorDetails
EMAIL field name: ErrorDetails
HTTPS field name: ErrorDetails
LEEF field name: ErrorDetails
error_stage
(ERROR STAGE)
The stage when an error occurred.
Syslog field name: Syslog Field Order
CEF field name: PanOSErrorStage
EMAIL field name: ErrorStage
HTTPS field name: ErrorStage
LEEF field name: ErrorStage
error_time
(ERROR GENERATED TIME)
The UTC time in milliseconds when a GlobalProtect error occurred.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: ErrorGeneratedTime
HTTPS field name: ErrorGeneratedTime
LEEF field name: ErrorGeneratedTime
gp_mtu
(GLOBALPROTECT MTU)
The maximum transmission unit of GlobalProtect.
CEF field name: PanOSGlobalProtectMTU
EMAIL field name: GlobalProtectMTU
HTTPS field name: GlobalProtectMTU
LEEF field name: GlobalProtectMTU
gp_version
(GLOBALPROTECT VERSION)
The GlobalProtect application version.
Syslog field name: Syslog Field Order
EMAIL field name: GlobalProtectVersion
HTTPS field name: GlobalProtectVersion
LEEF field name: GlobalProtectVersion
gw_address
(GATEWAY ADDRESS)
The IP address of the GlobalProtect gateway.
CEF field name: PanOSGatewayAddress
EMAIL field name: GatewayAddress
HTTPS field name: GatewayAddress
LEEF field name: GatewayAddress
gw_attempted
(ATTEMPTED GATEWAYS)
The gateways attmpted by GlobalProtect before connecting to the current gatway.
CEF field name: PanOSAttemptedGateways
EMAIL field name: AttemptedGateways
HTTPS field name: AttemptedGateways
LEEF field name: AttemptedGateways
gw_auth
(GATEWAY AUTHENTICATION)
An array of the authentication methods used to connect to the GlobalProtect gateway.
EMAIL field name: GatewayAuthentication
HTTPS field name: GatewayAuthentication
LEEF field name: GatewayAuthentication
gw_config_name
(GATEWAY CONFIGURATION NAME)
The name of the GlobalProtect gateway client settings configuration.
EMAIL field name: GatewayConfigurationName
HTTPS field name: GatewayConfigurationName
LEEF field name: GatewayConfigurationName
gw_dlsa_enabled
(DLSA STATUS)
Indicates whether local subnet access is enabled.
CEF field name: PanOSDLSAstatus
EMAIL field name: DLSAstatus
HTTPS field name: DLSAstatus
LEEF field name: DLSAstatus
gw_fall_back_to_ssl
(FALLBACK TO SSL REASON)
The reason why the GlobalProtect client fell back to SSL to connect to the gateway.
CEF field name: PanOSFallbacktoSSLReason
EMAIL field name: FallbacktoSSLReason
HTTPS field name: FallbacktoSSLReason
LEEF field name: FallbacktoSSLReason
gw_ipsec_enabled
(IPSEC ENABLED)
Indicates whether IPsec tunnel mode s enabled.
CEF field name: PanOSIPSecEnabled
EMAIL field name: IPSecEnabled
HTTPS field name: IPSecEnabled
LEEF field name: IPSecEnabled
gw_ipsec_failure_reason
(IPSEC FAILURE REASON)
The reason why the IPsec tunnel connection failed.
CEF field name: PanOSIPSecFailureReason
EMAIL field name: IPSecFailureReason
HTTPS field name: IPSecFailureReason
LEEF field name: IPSecFailureReason
gw_jitter
(JITTER)
The gateway jitter in milliseconds.
CEF field name: PanOSJitter
EMAIL field name: Jitter
HTTPS field name: Jitter
LEEF field name: Jitter
gw_latency
(LATENCY)
The gateway latency in milliseconds.
CEF field name: PanOSLatency
EMAIL field name: Latency
HTTPS field name: Latency
LEEF field name: Latency
gw_location
(LOCATION)
The geographic location of the gateway.
CEF field name: PanOSLocation
EMAIL field name: Location
HTTPS field name: Location
LEEF field name: Location
gw_logout_time
(LOGOUT TIME)
The UTC time in milliseconds when the GlobalProtect client logged out from the gateway.
CEF field name: PanOSGatewayLogoutTime
EMAIL field name: GatewayLogoutTime
HTTPS field name: GatewayLogoutTime
LEEF field name: GatewayLogoutTime
gw_packet_loss
(PACKET LOSS)
The percentage of packets lost from gateway traffic.
CEF field name: PanOSPacketLoss
EMAIL field name: PacketLoss
HTTPS field name: PacketLoss
LEEF field name: PacketLoss
gw_reachable
(GATEWAY REACHABLE)
Indicates whether the gateway is reachable.
CEF field name: PanOSGatewayReachable
EMAIL field name: GatewayReachable
HTTPS field name: GatewayReachable
LEEF field name: GatewayReachable
gw_server_cert
(GATEWAY SSL CERTIFICATE VALID)
Indicates whether the gateway server certificate is valid.
EMAIL field name: GatewaySSLCertificateValid
HTTPS field name: GatewaySSLCertificateValid
gw_ssl_failure_reason
(SSL FAILURE REASON)
The reason why the SSL tunnel connection failed.
CEF field name: PanOSSSLFailureReason
EMAIL field name: SSLFailureReason
HTTPS field name: SSLFailureReason
LEEF field name: SSLFailureReason
gw_status
(GATEWAY STATUS)
The status of the GlobalProtect gateway.
CEF field name: PanOSGatewayStatus
EMAIL field name: GatewayStatus
HTTPS field name: GatewayStatus
LEEF field name: GatewayStatus
gw_tunnel_renamed
(TUNNEL RENAME)
Indicates whether the pre-logon tunnel was renamed to a user tunnel.
CEF field name: PanOSTunnelRename
EMAIL field name: TunnelRename
HTTPS field name: TunnelRename
LEEF field name: TunnelRename
has_privileges
(PRIVILEGES)
Indicates whether GlobalProtect has the necessary permissions on the endpoint to function.
CEF field name: PanOSPrivileges
EMAIL field name: Privileges
HTTPS field name: Privileges
LEEF field name: Privileges
host_gmt_timeoffset
(HOST TIME OFFSET)
The difference between the time zone of the endpoint and GMT.
Syslog field name: Syslog Field Order
CEF field name: dtz
EMAIL field name: HostTimeOffset
HTTPS field name: HostTimeOffset
LEEF field name: HostTimeOffset
host_id
(GLOBALPROTECT HOST ID)
The unique identifier created by GlobalProtect for the endpoint.
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID
host_name
(HOSTNAME)
The host name of the endpoint.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: Hostname
HTTPS field name: Hostname
LEEF field name: identHostName
install_history
(INSTALL HISTORY)
Indicates whether GlobalProtect is newly installed, upgraded, or downgraded.
CEF field name: PanOSInstallHistory
EMAIL field name: InstallHistory
HTTPS field name: InstallHistory
LEEF field name: InstallHistory
internal_network
(INTERNAL NETWORK)
Indicates whether the endpoint is in an internal network.
CEF field name: PanOSInternalNetwork
EMAIL field name: InternalNetwork
HTTPS field name: InternalNetwork
LEEF field name: InternalNetwork
internet_access
(INTERNET ACCESS)
Indicates whether the endpoint has internet access.
CEF field name: PanOSInternetAccess
EMAIL field name: InternetAccess
HTTPS field name: InternetAccess
LEEF field name: InternetAccess
jail_broken
(JAILBROKEN STATUS)
Indicates whether the mobile device is jailbroken.
CEF field name: PanOSJailbrokenStatus
EMAIL field name: JailbrokenStatus
HTTPS field name: JailbrokenStatus
LEEF field name: JailbrokenStatus
last_hip_report_time
(LAST HIP REPORT TIME)
The last time GlobalProtect sent a Host Information Profile (HIP) report.
CEF field name: PanOSLastHIPReportTime
EMAIL field name: LastHIPReportTime
HTTPS field name: LastHIPReportTime
LEEF field name: LastHIPReportTime
last_logout_time
(LAST LOGOUT TIME)
The last time a user logged out of GlobalProtect in millisecond UTC.
CEF field name: PanOSLastLogoutTime
EMAIL field name: LastLogoutTime
HTTPS field name: LastLogoutTime
LEEF field name: LastLogoutTime
locale
(LOCALE)
The language locale name. Example:
en-us;English (United States)
Syslog field name: Syslog Field Order
CEF field name: PanOSLocale
EMAIL field name: Locale
HTTPS field name: Locale
LEEF field name: Locale
log_type.​value
(LOG TYPE)
A required LEEF header field that describes the log type. In this case, GlobalProtect Troubleshooting.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
memory_total
(TOTAL MEMORY)
The total memory on the endpoint.
CEF field name: PanOSTotalMemory
EMAIL field name: TotalMemory
HTTPS field name: TotalMemory
LEEF field name: TotalMemory
memory_usage
(MEMORY USAGE)
The total memory usage on the endpoint.
CEF field name: PanOSMemoryUsage
EMAIL field name: MemoryUsage
HTTPS field name: MemoryUsage
LEEF field name: MemoryUsage
memory_usage_gp
(GLOBALPROTECT MEMORY USAGE)
The memory resources used by GlobalProtect on the endpoint.
EMAIL field name: GlobalProtectMemoryUsage
HTTPS field name: GlobalProtectMemoryUsage
LEEF field name: GlobalProtectMemoryUsage
network_access
(NETWORK ACCESS)
Indicates whether the endpoint has network access.
CEF field name: PanOSNetworkAccess
EMAIL field name: NetworkAccess
HTTPS field name: NetworkAccess
LEEF field name: NetworkAccess
network_latency
(PORTALGATEWAY LATENCY)
The network latency in milliseconds.
EMAIL field name: PortalGatewayLatency
HTTPS field name: PortalGatewayLatency
LEEF field name: PortalGatewayLatency
network_type
(TYPE)
The network type that the endpoint is accessing, such as WiFi, Ethernet, or LTE.
CEF field name: PanOSType
EMAIL field name: Type
HTTPS field name: Type
LEEF field name: Type
os
(OPERATING SYSTEM)
The operating system of the device from which a user is reporting an issue.
Syslog field name: Syslog Field Order
CEF field name: PanOSOperatingSystem
EMAIL field name: OperatingSystem
HTTPS field name: OperatingSystem
LEEF field name: OperatingSystem
panorama_serial
(PANORAMA SN)
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN
portal_address
(PORTAL ADDRESS)
The IP address of the last connected GlobalProtect portal.
CEF field name: PanOSPortalAddress
EMAIL field name: PortalAddress
HTTPS field name: PortalAddress
LEEF field name: PortalAddress
portal_auth
(PORTAL AUTHENTICATION)
The authentication methods used to connect to the GlobalProtect portal.
EMAIL field name: PortalAuthentication
HTTPS field name: PortalAuthentication
LEEF field name: PortalAuthentication
portal_cached_config
(CACHED CONFIGURATION)
Indicates whether the client is using a cached configuration to connect to the GlobalProtect portal.
CEF field name: PanOSCachedConfiguration
EMAIL field name: CachedConfiguration
HTTPS field name: CachedConfiguration
LEEF field name: CachedConfiguration
portal_config_name
(PORTAL CONFIGURATION NAME)
The name of the GlobalProtect portal configuration if the client is connected to a portal.
EMAIL field name: PortalConfigurationName
HTTPS field name: PortalConfigurationName
LEEF field name: PortalConfigurationName
portal_config_refresh
(CONFIGURATION REFRESH)
Indicates whether the GlobalProtect portal configuration has been refreshed.
EMAIL field name: ConfigurationRefresh
HTTPS field name: ConfigurationRefresh
LEEF field name: ConfigurationRefresh
portal_last_connect_time
(LAST CONNECT TIME)
The last time the client connected to a GlobalProtect portal.
CEF field name: flexDate1
EMAIL field name: LastConnectTime
HTTPS field name: LastConnectTime
LEEF field name: LastConnectTime
portal_reachable
(PORTAL REACHABLE)
Indicates whether the GlobalProtect portal is reachable and accepts a TCP connection.
CEF field name: PanOSPortalReachable
EMAIL field name: PortalReachable
HTTPS field name: PortalReachable
LEEF field name: PortalReachable
portal_server_cert
(PORTAL SSL CERTIFICATE VALID)
Indicates whether the portal has a valid server certificate.
EMAIL field name: PortalSSLCertificateValid
HTTPS field name: PortalSSLCertificateValid
LEEF field name: PortalSSLCertificateValid
portal_status
(PORTAL STATUS)
The status of the portal before the user reported an issue.
CEF field name: PanOSPortalStatus
EMAIL field name: PortalStatus
HTTPS field name: PortalStatus
LEEF field name: PortalStatus
proxy_server
(PROXY SERVER)
Indicates whether the endpoint is behind a proxy server.
CEF field name: PanOSProxyServer
EMAIL field name: ProxyServer
HTTPS field name: ProxyServer
LEEF field name: ProxyServer
report_id
(REPORT ID)
The unique identifier for each issue reported by a user from the GlobalProtect app.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: GeneratedTime
HTTPS field name: GeneratedTime
LEEF field name: devTime
report_time
(GENERATED TIME)
The UTC in milliseconds when GlobalProtect sent a report.
Syslog field name: Syslog Field Order
CEF field name: PanOSReportID
EMAIL field name: ReportID
HTTPS field name: ReportID
LEEF field name: ReportID
report_type
(REPORT TYPE)
Indicates the type of the report: troubleshooting or diagnostic.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: ReportType
HTTPS field name: ReportType
LEEF field name: EventID
serial_number
(ENDPOINT SERIAL NUMBER)
The serial number of the device.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: SerialNumber
HTTPS field name: SerialNumber
LEEF field name: SerialNumber
server_performance
(SERVER PERFORMANCE)
The network latency of various destination URLs configured by an administrator on Panorama.
CEF field name: PanOSServerPerformance
EMAIL field name: ServerPerformance
HTTPS field name: ServerPerformance
LEEF field name: ServerPerformance
split_tunnel_status
(SPLIT-TUNNEL CONFIGURATION)
Indicates the status of a split tunnel configured on GlobalProtect.
EMAIL field name: Split-tunnelconfiguration
HTTPS field name: Split-tunnelconfiguration
LEEF field name: Split-tunnelconfiguration
user_comment
(USER COMMENT)
Comments that the user submitted with their issue report.
CEF field name: PanOSUserComment
EMAIL field name: UserComment
HTTPS field name: UserComment
LEEF field name: UserComment
user_name
(USERNAME)
The name of the user who reported an issue.
Syslog field name: Syslog Field Order
CEF field name: PanOSUsername
EMAIL field name: Username
HTTPS field name: Username
LEEF field name: usrName