| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:logs:syslog:globalprotect [2020/08/31 06:30] – external edit 127.0.0.1 | paloaltonetworks:logs:syslog:globalprotect [2023/02/03 11:27] (current) – bstafford |
|---|
| ====== GlobalProtect System Logs (< PAN-OS 9.1) ====== | ====== GlobalProtect System Logs (< PAN-OS 9.1) ====== |
| | ===== GP Login/Logout ===== |
| | <code>(( eventid eq gateway-connected ) or ( eventid eq gateway-logout ))</code> |
| | <code>(( eventid eq gateway-connected ) or ( eventid eq gateway-logout )) and ( machinename eq GB1LT11111 ) and ( user.src eq jbloggs )</code> |
| | ===== List GP Disconnect Reasons ===== |
| | Remember, if you are looking for the reasons people gave for disconnecting from GlobalProtect, use: |
| | <code>( eventid eq globalprotectgateway-agent-msg ) and ( description contains 'Message: Agent Disable, Comment:' )</code> |
| | The following example has 'asdfg' as the comment. |
| | <code>( object eq name-of-gateway ) and ( description contains 'GlobalProtect gateway agent message. Login from: 1.2.3.4, User name: jbloggs, Time: Sat Sep 05 15:35:29 2019., Message: Agent Disable, Comment: asdfg. Override(s)=36.' )</code> |
| |
| | In PAN-OS 9.1 and higher, use the following filter in the GlobalProtect log |
| | <code>( stage eq agent-msg ) and ( eventid eq gateway-agent-msg ) and ( opaque contains 'Comment' )</code> |
| | ==== List GP Login/Logout Time ===== |
| | To get a list of the login/logout times of a specific user on a specific day (not including internal gateway connections), use the following. |
| | <code>( description contains 'username') and ( receive_time geq '2020/09/08 00:00:00' ) and ( receive_time leq '2020/09/08 23:59:59' ) and ( subtype eq globalprotect ) and ( ( eventid eq globalprotectgateway-regist-succ ) or ( eventid eq globalprotectgateway-logout-succ ) ) and ( object neq NAME-OF-ANY-INTERNAL-GATEWAY )</code> |
| ===== Low ===== | ===== Low ===== |
| <code>( subtype eq globalprotect ) and ( severity eq low )</code> | <code>( subtype eq globalprotect ) and ( severity eq low )</code> |
| <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name, Client region: GB, Client IP: 11.22.33.44, Client OS version: Apple iOS 12.3.1, error: Matching client config not found.' )</code> | <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name, Client region: GB, Client IP: 11.22.33.44, Client OS version: Apple iOS 12.3.1, error: Matching client config not found.' )</code> |
| <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name Client region: NULL, Client IP: 11.22.33.44, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Invalid authentication cookie.' )</code> | <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name Client region: NULL, Client IP: 11.22.33.44, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Invalid authentication cookie.' )</code> |
| | <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq NAME-OF-GATEWAY ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: jbloggs, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Assign private IP address failed.' )</code> |
| ===== Informational ===== | ===== Informational ===== |
| <code>( subtype eq globalprotect ) and ( severity eq informational )</code> | <code>( subtype eq globalprotect ) and ( severity eq informational )</code> |
