(( eventid eq gateway-connected ) or ( eventid eq gateway-logout ))
(( eventid eq gateway-connected ) or ( eventid eq gateway-logout )) and ( machinename eq GB1LT11111 ) and ( user.src eq jbloggs )
Remember, if you are looking for the reasons people gave for disconnecting from GlobalProtect, use:
( eventid eq globalprotectgateway-agent-msg ) and ( description contains 'Message: Agent Disable, Comment:' )
The following example has 'asdfg' as the comment.
( object eq name-of-gateway ) and ( description contains 'GlobalProtect gateway agent message. Login from: 1.2.3.4, User name: jbloggs, Time: Sat Sep 05 15:35:29 2019., Message: Agent Disable, Comment: asdfg. Override(s)=36.' )
In PAN-OS 9.1 and higher, use the following filter in the GlobalProtect log
( stage eq agent-msg ) and ( eventid eq gateway-agent-msg ) and ( opaque contains 'Comment' )
To get a list of the login/logout times of a specific user on a specific day (not including internal gateway connections), use the following.
( description contains 'username') and ( receive_time geq '2020/09/08 00:00:00' ) and ( receive_time leq '2020/09/08 23:59:59' ) and ( subtype eq globalprotect ) and ( ( eventid eq globalprotectgateway-regist-succ ) or ( eventid eq globalprotectgateway-logout-succ ) ) and ( object neq NAME-OF-ANY-INTERNAL-GATEWAY )
( subtype eq globalprotect ) and ( severity eq low )
( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name, Client region: GB, Client IP: 11.22.33.44, Client OS version: Apple iOS 12.3.1, error: Matching client config not found.' )
( eventid eq globalprotectgateway-config-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: user.name Client region: NULL, Client IP: 11.22.33.44, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Invalid authentication cookie.' )
( eventid eq globalprotectgateway-config-fail ) and ( object eq NAME-OF-GATEWAY ) and ( description contains 'GlobalProtect gateway client configuration failed. User name: jbloggs, Client OS version: Microsoft Windows 10 Enterprise , 64-bit, error: Assign private IP address failed.' )
( subtype eq globalprotect ) and ( severity eq informational )
( eventid eq globalprotectportal-gencookie-succ ) and ( description contains 'GlobalProtect portal generate cookie success. Login from: 11.22.33.44, User name: username@domain.com.' )
( eventid eq globalprotectgateway-gencookie-succ ) and ( description contains 'GlobalProtect gateway generate cookie success. Login from: 91.125.197.23, User name: username@domain.com, Client OS version: Mac.' )
( eventid eq globalprotectportal-gencookie-fail ) and ( description contains 'GlobalProtect portal generate cookie failed. Login from: 11.22.33.44, User name: pre-logon, Client OS version: Mac.' )
( eventid eq globalprotectgateway-gencookie-fail ) and ( description contains 'GlobalProtect gateway generate cookie failed. Login from: 11.22.33.44, User name: pre-logon, Client OS version: Mac.' )
( eventid eq globalprotectportal-logout-succ ) and ( description contains 'GlobalProtect portal user logout succeeded. User name: domain.com\username, Reason: timed out' )
( eventid eq globalprotectportal-auth-succ ) and ( object eq PortalName ) and ( description contains 'GlobalProtect portal user authentication succeeded. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Auth type: SAML.Client OS version: Apple Mac OS X 10.15.4.' )
( eventid eq globalprotectportal-auth-fail ) and ( object eq PortalName ) and ( description contains 'GlobalProtect portal user authentication failed. Login from: 11.22.33.446, Source region: GB, User name: username@domain.com, Client OS version: Microsoft Windows 10 Enterprise N LTSC 2019 , 64-bit, Reason: Cookie expired, Auth type: cookie.' )
( eventid eq globalprotectportal-config-succ ) and ( object eq PortalName ) and ( description contains 'GlobalProtect portal client configuration generated. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Client OS version: Apple Mac OS X 10.15.4, Config name: Client, Client OS: Mac, Machine Certificate CN : , Host ID: ff:55:99:bb:aa:00, Serial No : C984JHUJT65N' )
( eventid eq globalprotectgateway-auth-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user authentication succeeded. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Auth type: cookie, Client OS version: Apple Mac OS X 10.14.6.' )
( eventid eq globalprotectgateway-auth-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user authentication failed. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Client OS version: Apple Mac OS X 10.15.4, Reason: Cookie expired, Auth type: cookie.' )
( eventid eq globalprotectgateway-regist-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user login succeeded. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Client OS version: Apple Mac OS X 10.14.6.' )
( eventid eq globalprotectgateway-config-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration generated. User name: username@domain.com, Config name: User-Config, Private IP: 192.168.221.106, Client region: GB, Client IP: 11.22.33.44, Client version: 5.1.0-75, Device name: UJDD74HFJFU29, Client OS version: Apple Mac OS X 10.14.6, VPN type: Device Level VPN.' )
( eventid eq globalprotectgateway-config-release ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client configuration released. User name: username@domain.comm, Private IP: 192.168.1.1, Client version: 5.1.0-75, Device name: MFVFXMJPHHV29, Client OS version: Apple Mac OS X 10.14.6, VPN type: Device Level VPN.' )
( eventid eq globalprotectgateway-logout-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user logout succeeded. User name: username@domain.com, Client OS version: Apple Mac OS X 10.14.6, Reason: client logout.' )
( eventid eq globalprotectgateway-switch-succ ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway client switch to SSL tunnel mode succeeded. User name: username@domain.com, Private IP: 192.168.1.1.' )
( eventid eq globalprotectgateway-regist-fail ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway user login failed. Login from: 11.22.33.44, Source region: GB, User name: username@domain.com, Client OS version: Apple Mac OS X 10.14.6, error: Existing user session found.' )
( eventid eq globalprotectgateway-agent-msg ) and ( object eq Gateway-N ) and ( description contains 'GlobalProtect gateway agent message. Login from: 11.22.33.44, User name: username@domain.com, Time: Fri May 8 09:32:44 2020., Message: Agent Disable, Comment: disable allowed.. Override(s)=91' )
( eventid eq globalprotectgateway-agent-msg )