• PanGP Agent logs are for the GlobalProtect UI program
• PanGP Service logs are for the GlobalProtect service/daemon program. Use this one.

Sections of Service Logs

• —-portal processing starts—-
  • Portal portal.example.local, user user, logonDomain DOMAIN, saved user user, path C:\Users\user\AppData\Local\Palo Alto Networks\GlobalProtect\
  • Portal's ipv4 address 10.1.1.1
  • CaptivePortalDetectionThread: wait (2000 ms) for captive portal detection event.
• —-Portal Pre-login starts—-
• —-Portal Login starts—-
• —-Network Discover starts—-
  • –Set state to Discovering network…
    • Process gateway: host gw.example.local, description gw.example.local
    • Gateway gw.example.local ipv4 address is 10.1.1.1
    • Gateway gw.example.local: ipv4 10.1.1.1, ipv6 , FQDN yes
    • Set network discover in progress
    • No ipv6 internal host detection.
    • IP 10.1.1.254
    • host ihd.example.local
    • DnsQuery returns 0
    • Resolved 254.1.1.10.in-addr.arpa for internal host detection with return value 0
    • The host name is ihd.example.local
  • –Set state to Discovery complete

Get a log file dump from the endpoint GlobalProtect and open the PanGPS.log file.

Look for the following to explain why SSL is being used

Debug( 463): Network is reachable
Info ( 174): Connected to: 1.2.3.4[4501], Sending keep alive to ipsec socket...
Info ( 217): failed to receive keep alive
Debug( 226): Disconnect udp socket 
Info ( 307): Connecting to 1.2.3.4 failed
Info ( 226): Start vpn do_connect() failed
Debug( 281): do_disconnect is called in VPN stop
Debug( 485): ipsec failed to start