| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| paloaltonetworks:logs:syslog:globalprotect [2020/09/09 23:46] – [GlobalProtect System Logs (< PAN-OS 9.1)] bstafford | paloaltonetworks:logs:syslog:globalprotect [2023/02/03 11:27] (current) – bstafford |
|---|
| ====== GlobalProtect System Logs (< PAN-OS 9.1) ====== | ====== GlobalProtect System Logs (< PAN-OS 9.1) ====== |
| | ===== GP Login/Logout ===== |
| | <code>(( eventid eq gateway-connected ) or ( eventid eq gateway-logout ))</code> |
| | <code>(( eventid eq gateway-connected ) or ( eventid eq gateway-logout )) and ( machinename eq GB1LT11111 ) and ( user.src eq jbloggs )</code> |
| ===== List GP Disconnect Reasons ===== | ===== List GP Disconnect Reasons ===== |
| Remember, if you are looking for the reasons people gave for disconnecting from GlobalProtect, use: | Remember, if you are looking for the reasons people gave for disconnecting from GlobalProtect, use: |
| The following example has 'asdfg' as the comment. | The following example has 'asdfg' as the comment. |
| <code>( object eq name-of-gateway ) and ( description contains 'GlobalProtect gateway agent message. Login from: 1.2.3.4, User name: jbloggs, Time: Sat Sep 05 15:35:29 2019., Message: Agent Disable, Comment: asdfg. Override(s)=36.' )</code> | <code>( object eq name-of-gateway ) and ( description contains 'GlobalProtect gateway agent message. Login from: 1.2.3.4, User name: jbloggs, Time: Sat Sep 05 15:35:29 2019., Message: Agent Disable, Comment: asdfg. Override(s)=36.' )</code> |
| | |
| | In PAN-OS 9.1 and higher, use the following filter in the GlobalProtect log |
| | <code>( stage eq agent-msg ) and ( eventid eq gateway-agent-msg ) and ( opaque contains 'Comment' )</code> |
| ==== List GP Login/Logout Time ===== | ==== List GP Login/Logout Time ===== |
| To get a list of the login/logout times of a specific user on a specific day (not including internal gateway connections), use the following. | To get a list of the login/logout times of a specific user on a specific day (not including internal gateway connections), use the following. |
| <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name, Client region: GB, Client IP: 11.22.33.44, Client OS version: Apple iOS 12.3.1, error: Matching client config not found.' )</code> | <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name, Client region: GB, Client IP: 11.22.33.44, Client OS version: Apple iOS 12.3.1, error: Matching client config not found.' )</code> |
| <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name Client region: NULL, Client IP: 11.22.33.44, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Invalid authentication cookie.' )</code> | <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name Client region: NULL, Client IP: 11.22.33.44, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Invalid authentication cookie.' )</code> |
| | <code>( eventid eq globalprotectgateway-config-fail ) and ( object eq NAME-OF-GATEWAY ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: jbloggs, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Assign private IP address failed.' )</code> |
| ===== Informational ===== | ===== Informational ===== |
| <code>( subtype eq globalprotect ) and ( severity eq informational )</code> | <code>( subtype eq globalprotect ) and ( severity eq informational )</code> |
