Strata Logging Service
GlobalProtect App Troubleshooting
Table of Contents
Expand All
|
Collapse All
GlobalProtect App Troubleshooting
GlobalProtect troubleshooting logs contain information about the GlobalProtect client and its
host to help app users resolve issues.
See the following for information related to supported log formats:
GLOBALPROTECT APP TROUBLESHOOTING Field
(Display Name)
|
Description
|
---|---|
app_tampered
(APP TAMPERED)
| Indicates whether application files on the endpoint were tampered with or modified. CEF field name: PanOSAppTampered EMAIL field name: AppTampered HTTPS field name: AppTampered LEEF field name: AppTampered |
captive_portal
(CAPTIVE PORTAL)
| Indicates whether the endpoint is behind a captive portal. CEF field name: PanOSCaptivePortal EMAIL field name: CaptivePortal HTTPS field name: CaptivePortal LEEF field name: CaptivePortal |
cpu_usage
(CPU USAGE)
| The percentage of overall CPU usage on the endpoint. CEF field name: PanOSCPUUsage EMAIL field name: CPUUsage HTTPS field name: CPUUsage LEEF field name: CPUUsage |
cpu_usage_gp
(GLOBALPROTECT CPU USAGE)
| The percentage of the endpoint's CPU resources used by GlobalProtect. CEF field name: PanOSGlobalProtectCPUUsage EMAIL field name: GlobalProtectCPUUsage HTTPS field name: GlobalProtectCPUUsage LEEF field name: GlobalProtectCPUUsage |
crash_history
(CRASH HISTORY)
| A record of any GlobalProtect application crashes. CEF field name: PanOSCrashHistory EMAIL field name: CrashHistory HTTPS field name: CrashHistory LEEF field name: CrashHistory |
debug_log_file_name
(DEBUG LOG FILE)
| The name of a file containing debug logs. CEF field name: PanOSDebugLogFile EMAIL field name: DebugLogFile HTTPS field name: DebugLogFile LEEF field name: DebugLogFile |
disable_history
(DISABLE HISTORY)
| A record of the times that GlobalProtect was disabled. CEF field name: PanOSDisableHistory EMAIL field name: DisableHistory HTTPS field name: DisableHistory LEEF field name: DisableHistory |
disk_available
(DISK AVAILABLE)
| The disk space remaining on the endpoint. CEF field name: PanOSDiskAvailable EMAIL field name: DiskAvailable HTTPS field name: DiskAvailable LEEF field name: DiskAvailable |
disk_total
(TOTAL DISK SPACE)
| The total disk space on the endpoint. CEF field name: PanOSTotalDiskSpace EMAIL field name: TotalDiskSpace HTTPS field name: TotalDiskSpace LEEF field name: TotalDiskSpace |
dns_reachable
(DNS REACHABLE)
| Indicates whether the endpoint can reach internet DNS servers. CEF field name: PanOSDNSReachable EMAIL field name: DNSReachable HTTPS field name: DNSReachable LEEF field name: DNSReachable |
dual_stack_network
(DUAL STACK TUNNEL INTERFACE)
| Indicates whether the GlobalProtect interface is both IPv4 and IPv6 compatible. CEF field name: PanOSDualStackTunnelInterface EMAIL field name: DualStackTunnelInterface HTTPS field name: DualStackTunnelInterface LEEF field name: DualStackTunnelInterface |
enforcer_status
(ENFORCER STATUS)
| Indicated whether GlobalProtect is enforced for network access. CEF field name: PanOSEnforcerStatus EMAIL field name: EnforcerStatus HTTPS field name: EnforcerStatus LEEF field name: EnforcerStatus |
error
(ERROR MESSAGE)
| The last error that occurred in GlobalProtect. Syslog field name: Syslog Field Order CEF field name: reason EMAIL field name: ErrorMessage HTTPS field name: ErrorMessage LEEF field name: ErrorMessage |
error_details
(ERROR DETAILS)
| Details that help troubleshoot an error. Syslog field name: Syslog Field Order CEF field name: PanOSErrorDetails EMAIL field name: ErrorDetails HTTPS field name: ErrorDetails LEEF field name: ErrorDetails |
error_stage
(ERROR STAGE)
| The stage when an error occurred. Syslog field name: Syslog Field Order CEF field name: PanOSErrorStage EMAIL field name: ErrorStage HTTPS field name: ErrorStage LEEF field name: ErrorStage |
error_time
(ERROR GENERATED TIME)
| The UTC time in milliseconds when a GlobalProtect error occurred. Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: ErrorGeneratedTime HTTPS field name: ErrorGeneratedTime LEEF field name: ErrorGeneratedTime |
gp_mtu
(GLOBALPROTECT MTU)
| The maximum transmission unit of GlobalProtect. CEF field name: PanOSGlobalProtectMTU EMAIL field name: GlobalProtectMTU HTTPS field name: GlobalProtectMTU LEEF field name: GlobalProtectMTU |
gp_version
(GLOBALPROTECT VERSION)
| The GlobalProtect application version. Syslog field name: Syslog Field Order CEF field name: PanOSGlobalProtectVersion EMAIL field name: GlobalProtectVersion HTTPS field name: GlobalProtectVersion LEEF field name: GlobalProtectVersion |
gw_address
(GATEWAY ADDRESS)
| The IP address of the GlobalProtect gateway. CEF field name: PanOSGatewayAddress EMAIL field name: GatewayAddress HTTPS field name: GatewayAddress LEEF field name: GatewayAddress |
gw_attempted
(ATTEMPTED GATEWAYS)
| The gateways attmpted by GlobalProtect before connecting to the current gatway. CEF field name: PanOSAttemptedGateways EMAIL field name: AttemptedGateways HTTPS field name: AttemptedGateways LEEF field name: AttemptedGateways |
gw_auth
(GATEWAY AUTHENTICATION)
| An array of the authentication methods used to connect to the GlobalProtect gateway. CEF field name: PanOSGatewayAuthentication EMAIL field name: GatewayAuthentication HTTPS field name: GatewayAuthentication LEEF field name: GatewayAuthentication |
gw_config_name
(GATEWAY CONFIGURATION NAME)
| The name of the GlobalProtect gateway client settings configuration. CEF field name: PanOSGatewayConfigurationName EMAIL field name: GatewayConfigurationName HTTPS field name: GatewayConfigurationName LEEF field name: GatewayConfigurationName |
gw_dlsa_enabled
(DLSA STATUS)
| Indicates whether local subnet access is enabled. CEF field name: PanOSDLSAstatus EMAIL field name: DLSAstatus HTTPS field name: DLSAstatus LEEF field name: DLSAstatus |
gw_fall_back_to_ssl
(FALLBACK TO SSL REASON)
| The reason why the GlobalProtect client fell back to SSL to connect to the gateway. CEF field name: PanOSFallbacktoSSLReason EMAIL field name: FallbacktoSSLReason HTTPS field name: FallbacktoSSLReason LEEF field name: FallbacktoSSLReason |
gw_ipsec_enabled
(IPSEC ENABLED)
| Indicates whether IPsec tunnel mode s enabled. CEF field name: PanOSIPSecEnabled EMAIL field name: IPSecEnabled HTTPS field name: IPSecEnabled LEEF field name: IPSecEnabled |
gw_ipsec_failure_reason
(IPSEC FAILURE REASON)
| The reason why the IPsec tunnel connection failed. CEF field name: PanOSIPSecFailureReason EMAIL field name: IPSecFailureReason HTTPS field name: IPSecFailureReason LEEF field name: IPSecFailureReason |
gw_jitter
(JITTER)
| The gateway jitter in milliseconds. CEF field name: PanOSJitter EMAIL field name: Jitter HTTPS field name: Jitter LEEF field name: Jitter |
gw_latency
(LATENCY)
| The gateway latency in milliseconds. CEF field name: PanOSLatency EMAIL field name: Latency HTTPS field name: Latency LEEF field name: Latency |
gw_location
(LOCATION)
| The geographic location of the gateway. CEF field name: PanOSLocation EMAIL field name: Location HTTPS field name: Location LEEF field name: Location |
gw_logout_time
(LOGOUT TIME)
| The UTC time in milliseconds when the GlobalProtect client logged out from the
gateway. CEF field name: PanOSGatewayLogoutTime EMAIL field name: GatewayLogoutTime HTTPS field name: GatewayLogoutTime LEEF field name: GatewayLogoutTime |
gw_packet_loss
(PACKET LOSS)
| The percentage of packets lost from gateway traffic. CEF field name: PanOSPacketLoss EMAIL field name: PacketLoss HTTPS field name: PacketLoss LEEF field name: PacketLoss |
gw_reachable
(GATEWAY REACHABLE)
| Indicates whether the gateway is reachable. CEF field name: PanOSGatewayReachable EMAIL field name: GatewayReachable HTTPS field name: GatewayReachable LEEF field name: GatewayReachable |
gw_server_cert
(GATEWAY SSL CERTIFICATE VALID)
| Indicates whether the gateway server certificate is valid. CEF field name: PanOSGatewaySSLCertificateValid EMAIL field name: GatewaySSLCertificateValid HTTPS field name: GatewaySSLCertificateValid LEEF field name: GatewaySSLCertificateValid |
gw_ssl_failure_reason
(SSL FAILURE REASON)
| The reason why the SSL tunnel connection failed. CEF field name: PanOSSSLFailureReason EMAIL field name: SSLFailureReason HTTPS field name: SSLFailureReason LEEF field name: SSLFailureReason |
gw_status
(GATEWAY STATUS)
| The status of the GlobalProtect gateway. CEF field name: PanOSGatewayStatus EMAIL field name: GatewayStatus HTTPS field name: GatewayStatus LEEF field name: GatewayStatus |
gw_tunnel_renamed
(TUNNEL RENAME)
| Indicates whether the pre-logon tunnel was renamed to a user
tunnel. CEF field name: PanOSTunnelRename EMAIL field name: TunnelRename HTTPS field name: TunnelRename LEEF field name: TunnelRename |
has_privileges
(PRIVILEGES)
| Indicates whether GlobalProtect has the necessary permissions on the endpoint to
function. CEF field name: PanOSPrivileges EMAIL field name: Privileges HTTPS field name: Privileges LEEF field name: Privileges |
host_gmt_timeoffset
(HOST TIME OFFSET)
| The difference between the time zone of the endpoint and GMT. Syslog field name: Syslog Field Order CEF field name: dtz EMAIL field name: HostTimeOffset HTTPS field name: HostTimeOffset LEEF field name: HostTimeOffset |
host_id
(GLOBALPROTECT HOST ID)
| The unique identifier created by GlobalProtect for the endpoint. Syslog field name: Syslog Field Order CEF field name: PanOSHostID EMAIL field name: HostID HTTPS field name: HostID LEEF field name: HostID |
host_name
(HOSTNAME)
| The host name of the endpoint. Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: Hostname HTTPS field name: Hostname LEEF field name: identHostName |
install_history
(INSTALL HISTORY)
| Indicates whether GlobalProtect is newly installed, upgraded, or downgraded. CEF field name: PanOSInstallHistory EMAIL field name: InstallHistory HTTPS field name: InstallHistory LEEF field name: InstallHistory |
internal_network
(INTERNAL NETWORK)
| Indicates whether the endpoint is in an internal network. CEF field name: PanOSInternalNetwork EMAIL field name: InternalNetwork HTTPS field name: InternalNetwork LEEF field name: InternalNetwork |
internet_access
(INTERNET ACCESS)
| Indicates whether the endpoint has internet access. CEF field name: PanOSInternetAccess EMAIL field name: InternetAccess HTTPS field name: InternetAccess LEEF field name: InternetAccess |
jail_broken
(JAILBROKEN STATUS)
| Indicates whether the mobile device is jailbroken. CEF field name: PanOSJailbrokenStatus EMAIL field name: JailbrokenStatus HTTPS field name: JailbrokenStatus LEEF field name: JailbrokenStatus |
last_hip_report_time
(LAST HIP REPORT TIME)
| The last time GlobalProtect sent a Host Information Profile (HIP) report. CEF field name: PanOSLastHIPReportTime EMAIL field name: LastHIPReportTime HTTPS field name: LastHIPReportTime LEEF field name: LastHIPReportTime |
last_logout_time
(LAST LOGOUT TIME)
| The last time a user logged out of GlobalProtect in millisecond UTC. CEF field name: PanOSLastLogoutTime EMAIL field name: LastLogoutTime HTTPS field name: LastLogoutTime LEEF field name: LastLogoutTime |
locale
(LOCALE)
| The language locale name. Example: en-us;English (United States) Syslog field name: Syslog Field Order CEF field name: PanOSLocale EMAIL field name: Locale HTTPS field name: Locale LEEF field name: Locale |
log_type.value
(LOG TYPE)
| A required LEEF header field that describes the log type. In this case,
GlobalProtect Troubleshooting .Syslog field name: Syslog Field Order CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
memory_total
(TOTAL MEMORY)
| The total memory on the endpoint. CEF field name: PanOSTotalMemory EMAIL field name: TotalMemory HTTPS field name: TotalMemory LEEF field name: TotalMemory |
memory_usage
(MEMORY USAGE)
| The total memory usage on the endpoint. CEF field name: PanOSMemoryUsage EMAIL field name: MemoryUsage HTTPS field name: MemoryUsage LEEF field name: MemoryUsage |
memory_usage_gp
(GLOBALPROTECT MEMORY USAGE)
| The memory resources used by GlobalProtect on the endpoint. CEF field name: PanOSGlobalProtectMemoryUsage EMAIL field name: GlobalProtectMemoryUsage HTTPS field name: GlobalProtectMemoryUsage LEEF field name: GlobalProtectMemoryUsage |
network_access
(NETWORK ACCESS)
| Indicates whether the endpoint has network access. CEF field name: PanOSNetworkAccess EMAIL field name: NetworkAccess HTTPS field name: NetworkAccess LEEF field name: NetworkAccess |
network_latency
(PORTALGATEWAY LATENCY)
| The network latency in milliseconds. CEF field name: PanOSPortalGatewayLatency EMAIL field name: PortalGatewayLatency HTTPS field name: PortalGatewayLatency LEEF field name: PortalGatewayLatency |
os
(OPERATING SYSTEM)
| The operating system of the device from which a user is reporting an issue. Syslog field name: Syslog Field Order CEF field name: PanOSOperatingSystem EMAIL field name: OperatingSystem HTTPS field name: OperatingSystem LEEF field name: OperatingSystem |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
portal_address
(PORTAL ADDRESS)
| The IP address of the last connected GlobalProtect portal. CEF field name: PanOSPortalAddress EMAIL field name: PortalAddress HTTPS field name: PortalAddress LEEF field name: PortalAddress |
portal_auth
(PORTAL AUTHENTICATION)
| The authentication methods used to connect to the GlobalProtect portal. CEF field name: PanOSPortalAuthentication EMAIL field name: PortalAuthentication HTTPS field name: PortalAuthentication LEEF field name: PortalAuthentication |
portal_cached_config
(CACHED CONFIGURATION)
| Indicates whether the client is using a cached configuration to connect to the
GlobalProtect portal. CEF field name: PanOSCachedConfiguration EMAIL field name: CachedConfiguration HTTPS field name: CachedConfiguration LEEF field name: CachedConfiguration |
portal_config_name
(PORTAL CONFIGURATION NAME)
| The name of the GlobalProtect portal configuration if the client is connected to a
portal. CEF field name: PanOSPortalConfigurationName EMAIL field name: PortalConfigurationName HTTPS field name: PortalConfigurationName LEEF field name: PortalConfigurationName |
portal_config_refresh
(CONFIGURATION REFRESH)
| Indicates whether the GlobalProtect portal configuration has been refreshed. CEF field name: PanOSConfigurationRefresh EMAIL field name: ConfigurationRefresh HTTPS field name: ConfigurationRefresh LEEF field name: ConfigurationRefresh |
portal_last_connect_time
(LAST CONNECT TIME)
| The last time the client connected to a GlobalProtect portal. CEF field name: flexDate1 EMAIL field name: LastConnectTime HTTPS field name: LastConnectTime LEEF field name: LastConnectTime |
portal_reachable
(PORTAL REACHABLE)
| Indicates whether the GlobalProtect portal is reachable and accepts a TCP connection. CEF field name: PanOSPortalReachable EMAIL field name: PortalReachable HTTPS field name: PortalReachable LEEF field name: PortalReachable |
portal_server_cert
(PORTAL SSL CERTIFICATE VALID)
| Indicates whether the portal has a valid server certificate. CEF field name: PanOSPortalSSLCertificateValid EMAIL field name: PortalSSLCertificateValid HTTPS field name: PortalSSLCertificateValid LEEF field name: PortalSSLCertificateValid |
portal_status
(PORTAL STATUS)
| The status of the portal before the user reported an issue. CEF field name: PanOSPortalStatus EMAIL field name: PortalStatus HTTPS field name: PortalStatus LEEF field name: PortalStatus |
proxy_server
(PROXY SERVER)
| Indicates whether the endpoint is behind a proxy server. CEF field name: PanOSProxyServer EMAIL field name: ProxyServer HTTPS field name: ProxyServer LEEF field name: ProxyServer |
report_id
(REPORT ID)
| The unique identifier for each issue reported by a user from the GlobalProtect app. Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: GeneratedTime HTTPS field name: GeneratedTime LEEF field name: devTime |
report_time
(GENERATED TIME)
| The UTC in milliseconds when GlobalProtect sent a report. Syslog field name: Syslog Field Order CEF field name: PanOSReportID EMAIL field name: ReportID HTTPS field name: ReportID LEEF field name: ReportID |
report_type
(REPORT TYPE)
| Indicates the type of the report: troubleshooting or diagnostic. Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: ReportType HTTPS field name: ReportType LEEF field name: EventID |
serial_number
(ENDPOINT SERIAL NUMBER)
| The serial number of the device. Syslog field name: Syslog Field Order CEF field name: deviceExternalId EMAIL field name: SerialNumber HTTPS field name: SerialNumber LEEF field name: SerialNumber |
server_performance
(SERVER PERFORMANCE)
| The network latency of various destination URLs configured by an administrator on
Panorama. CEF field name: PanOSServerPerformance EMAIL field name: ServerPerformance HTTPS field name: ServerPerformance LEEF field name: ServerPerformance |
split_tunnel_status
(SPLIT-TUNNEL CONFIGURATION)
| Indicates the status of a split tunnel configured on GlobalProtect. CEF field name: PanOSSplit-tunnelconfiguration EMAIL field name: Split-tunnelconfiguration HTTPS field name: Split-tunnelconfiguration LEEF field name: Split-tunnelconfiguration |
user_comment
(USER COMMENT)
| Comments that the user submitted with their issue report. CEF field name: PanOSUserComment EMAIL field name: UserComment HTTPS field name: UserComment LEEF field name: UserComment |
user_name
(USERNAME)
| The name of the user who reported an issue. Syslog field name: Syslog Field Order CEF field name: PanOSUsername EMAIL field name: Username HTTPS field name: Username LEEF field name: usrName |