>
    Strata Copilot
    Event Descriptions for the GlobalProtect Logs in PAN-OS
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Monitoring and Troubleshooting
    5. Monitoring GlobalProtect Using PAN-OS
    6. Event Descriptions for the GlobalProtect Logs in PAN-OS
    Download PDF
    GlobalProtect

    Event Descriptions for the GlobalProtect Logs in PAN-OS

    Table of Contents

    Event Descriptions for the GlobalProtect Logs in PAN-OS

    Event descriptions for the GlobalProtect portal, gateway, and Clientless VPN logs in PAN-OS.
    Where Can I Use This?What Do I Need?
    • NGFW (managed by Panorama)
    • GlobalProtect Subscription License
    Use the following descriptions to help you to identify GlobalProtect portal, gateway, or Clientless VPN events when viewing GlobalProtect logs in PAN-OS at MonitorLogsGlobalProtect:

    Portal Event Details

    The following table describes log events related to the GlobalProtect portal.
    EventDescription
    portal-auth
    Indicates a GlobalProtect portal authentication stage. See Status for results.
    portal-gen-cookie
    Indicates a GlobalProtect portal authentication override cookie generation event. See Status for results.
    portal-getconfig
    Indicates a GlobalProtect portal event for generating GlobalProtect client configuration, such as dynamic app configuration or gateway list.
    portal-prelogin
    Indicates a GlobalProtect portal pre-login event. As a part of the event, the GlobalProtect client does the following:
    • Certificate: validates whether a client certificate is valid.
    • SAML: generates a SAML request and sends it back to a GlobalProtect client.
    • Kerberos: triggers a Kerberos authentication process.
    Because this event occurs before the VPN tunnel is established, system log entries for portal-prelogin capture the client's public IP address. To verify source region visibility before login, filter MonitorLogsSystem using ( eventid eq portal-prelogin ), as described in identifying a client's public IP before tunnel establishment.

    Gateway Event Details

    The following table describes log events related to the GlobalProtect gateway.
    EventDescription
    gateway-agent-msg
    Indicates a GlobalProtect gateway event for a message received from the GlobalProtect client, such as GlobalProtect client disable reason message.
    When the GlobalProtect app is disabled using a ticket-based override, the gateway logs the agent disable event details, including the Message, Comment, and overrides fields.
    gateway-auth
    Indicates GlobalProtect gateway authentication stage. See Status for results.
    gateway-config-release
    Indicates a GlobalProtect gateway event for configuration release, such as remove ip-user mapping or remove tunnel.
    gateway-connected
    Indicates a GlobalProtect gateway event for a GlobalProtect client successful connection for tunnel or non-tunnel mode.
    gateway-framed-ip
    Indicates a GlobalProtect gateway event where the gateway retrieved a framed IPv4 address from RADIUS for a GlobalProtect client.
    gateway-getconfig
    Indicates a GlobalProtect gateway event for generating GlobalProtect client configuration, such as split-tunnel, virtual IP, or tunnel information.
    gateway-hip-check
    Indicates a GlobalProtect gateway event to confirm whether a GlobalProtect HIP report was updated or not, and to refresh ip-user mapping. Refer to the description for latency reported information. Examples include items such as HIP report is not needed or HIP report is needed.
    gateway-hip-report
    Indicates a GlobalProtect gateway event to confirm whether a HIP report was received from a GlobalProtect client, to update ip-user mapping, and to enforce HIP policy.
    gateway-inheritance
    Indicates a GlobalProtect gateway event where a GlobalProtect gateway is using a dynamic IP address and the IP address changed.
    gateway-logout
    Indicates a GlobalProtect gateway event for a GlobalProtect client logout.
    gateway-prelogin
    Indicates a GlobalProtect gateway event. As a part of the event, the GlobalProtect client does the following:
    • Certificate: validates whether a client certificate is valid.
    • SAML: generates a SAML request and sends it back to a GlobalProtect client.
    • Kerberos: triggers a Kerberos authentication process.
    gateway-register
    Indicates GlobalProtect client user information, such as username, domain-name, computer name, hostid, serial number, public ip, or login time is added on the gateway.
    gateway-setup-ipsec
    Indicates a GlobalProtect gateway event for setting up an IPSec VPN tunnel.
    gateway-setup-ssl
    Indicates a GlobalProtect gateway event for setting up a SSL VPN tunnel.
    gateway-switch-to-ssl
    Indicates a GlobalProtect gateway tunnel switch from IPSec to SSL considering IPSec tunnel was not successful.
    gateway-tunnel-latency
    Indicates GlobalProtect gateway latency provided by a GlobalProtect client. Refer to description for latency reported information, such as Pre-tunnel latency: 10ms or Post-tunnel latency: 1ms
    quarantine-add
    Indicates a GlobalProtect gateway event for a GlobalProtect client, confirming that the client is added to the quarantine list.
    quarantine-delete
    Indicates a GlobalProtect gateway event for a GlobalProtect client, confirming that the client is removed from the quarantine list.

    GlobalProtect App Disable Event Details

    When the GlobalProtect® gateway logs a gateway-agent-msg event for an app disable, the system log entry contains the following fields.
    FieldValueDescription
    Message
    Agent Disable
    The GlobalProtect app was disabled.
    Comment
    method:with-ticket
    The app was disabled using a ticket-based override. An admin generates a time-limited ticket that authorizes the end user to disable the GlobalProtect app.
    overrides
    Integer
    Number of active overrides currently in effect.

    Clientless VPN Event Details

    The following table describes log events related to the GlobalProtect Clientless VPN.
    EventDescription
    clientlessvpn-login
    Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN login.
    clientlessvpn-logout
    Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN logout.
    clientlessvpn-prelogin
    Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN. As a part of the event, the following takes place:
    • Certificate: validate whether a client certificate is valid.
    • SAML: generate a SAML request and send it back to a GlobalProtect client.
    • Kerberos: trigger a Kerberos authentication process.

    © 2026 Palo Alto Networks, Inc. All rights reserved.