>
    GlobalProtect App Troubleshooting
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Endpoint Logs
    4. GlobalProtect App Troubleshooting
    Download PDF
    Strata Logging Service

    GlobalProtect App Troubleshooting

    Table of Contents

    GlobalProtect App Troubleshooting

    GlobalProtect troubleshooting logs contain information about the GlobalProtect client and its host to help app users resolve issues.
    See the following for information related to supported log formats:
    GLOBALPROTECT APP TROUBLESHOOTING Field
    (Display Name)
    Description
    app_tampered
    (APP TAMPERED)
    Indicates whether application files on the endpoint were tampered with or modified.
    CEF field name: PanOSAppTampered
    EMAIL field name: AppTampered
    HTTPS field name: AppTampered
    LEEF field name: AppTampered
    captive_portal
    (CAPTIVE PORTAL)
    Indicates whether the endpoint is behind a captive portal.
    CEF field name: PanOSCaptivePortal
    EMAIL field name: CaptivePortal
    HTTPS field name: CaptivePortal
    LEEF field name: CaptivePortal
    cpu_usage
    (CPU USAGE)
    The percentage of overall CPU usage on the endpoint.
    CEF field name: PanOSCPUUsage
    EMAIL field name: CPUUsage
    HTTPS field name: CPUUsage
    LEEF field name: CPUUsage
    cpu_usage_gp
    (GLOBALPROTECT CPU USAGE)
    The percentage of the endpoint's CPU resources used by GlobalProtect.
    CEF field name: PanOSGlobalProtectCPUUsage
    EMAIL field name: GlobalProtectCPUUsage
    HTTPS field name: GlobalProtectCPUUsage
    LEEF field name: GlobalProtectCPUUsage
    crash_history
    (CRASH HISTORY)
    A record of any GlobalProtect application crashes.
    CEF field name: PanOSCrashHistory
    EMAIL field name: CrashHistory
    HTTPS field name: CrashHistory
    LEEF field name: CrashHistory
    debug_log_file_name
    (DEBUG LOG FILE)
    The name of a file containing debug logs.
    CEF field name: PanOSDebugLogFile
    EMAIL field name: DebugLogFile
    HTTPS field name: DebugLogFile
    LEEF field name: DebugLogFile
    disable_history
    (DISABLE HISTORY)
    A record of the times that GlobalProtect was disabled.
    CEF field name: PanOSDisableHistory
    EMAIL field name: DisableHistory
    HTTPS field name: DisableHistory
    LEEF field name: DisableHistory
    disk_available
    (DISK AVAILABLE)
    The disk space remaining on the endpoint.
    CEF field name: PanOSDiskAvailable
    EMAIL field name: DiskAvailable
    HTTPS field name: DiskAvailable
    LEEF field name: DiskAvailable
    disk_total
    (TOTAL DISK SPACE)
    The total disk space on the endpoint.
    CEF field name: PanOSTotalDiskSpace
    EMAIL field name: TotalDiskSpace
    HTTPS field name: TotalDiskSpace
    LEEF field name: TotalDiskSpace
    dns_reachable
    (DNS REACHABLE)
    Indicates whether the endpoint can reach internet DNS servers.
    CEF field name: PanOSDNSReachable
    EMAIL field name: DNSReachable
    HTTPS field name: DNSReachable
    LEEF field name: DNSReachable
    dual_stack_network
    (DUAL STACK TUNNEL INTERFACE)
    Indicates whether the GlobalProtect interface is both IPv4 and IPv6 compatible.
    CEF field name: PanOSDualStackTunnelInterface
    EMAIL field name: DualStackTunnelInterface
    HTTPS field name: DualStackTunnelInterface
    LEEF field name: DualStackTunnelInterface
    enforcer_status
    (ENFORCER STATUS)
    Indicated whether GlobalProtect is enforced for network access.
    CEF field name: PanOSEnforcerStatus
    EMAIL field name: EnforcerStatus
    HTTPS field name: EnforcerStatus
    LEEF field name: EnforcerStatus
    error
    (ERROR MESSAGE)
    The last error that occurred in GlobalProtect.
    Syslog field name: Syslog Field Order
    CEF field name: reason
    EMAIL field name: ErrorMessage
    HTTPS field name: ErrorMessage
    LEEF field name: ErrorMessage
    error_details
    (ERROR DETAILS)
    Details that help troubleshoot an error.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSErrorDetails
    EMAIL field name: ErrorDetails
    HTTPS field name: ErrorDetails
    LEEF field name: ErrorDetails
    error_stage
    (ERROR STAGE)
    The stage when an error occurred.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSErrorStage
    EMAIL field name: ErrorStage
    HTTPS field name: ErrorStage
    LEEF field name: ErrorStage
    error_time
    (ERROR GENERATED TIME)
    The UTC time in milliseconds when a GlobalProtect error occurred.
    Syslog field name: Syslog Field Order
    CEF field name: start
    EMAIL field name: ErrorGeneratedTime
    HTTPS field name: ErrorGeneratedTime
    LEEF field name: ErrorGeneratedTime
    gp_mtu
    (GLOBALPROTECT MTU)
    The maximum transmission unit of GlobalProtect.
    CEF field name: PanOSGlobalProtectMTU
    EMAIL field name: GlobalProtectMTU
    HTTPS field name: GlobalProtectMTU
    LEEF field name: GlobalProtectMTU
    gp_version
    (GLOBALPROTECT VERSION)
    The GlobalProtect application version.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSGlobalProtectVersion
    EMAIL field name: GlobalProtectVersion
    HTTPS field name: GlobalProtectVersion
    LEEF field name: GlobalProtectVersion
    gw_address
    (GATEWAY ADDRESS)
    The IP address of the GlobalProtect gateway.
    CEF field name: PanOSGatewayAddress
    EMAIL field name: GatewayAddress
    HTTPS field name: GatewayAddress
    LEEF field name: GatewayAddress
    gw_attempted
    (ATTEMPTED GATEWAYS)
    The gateways attmpted by GlobalProtect before connecting to the current gatway.
    CEF field name: PanOSAttemptedGateways
    EMAIL field name: AttemptedGateways
    HTTPS field name: AttemptedGateways
    LEEF field name: AttemptedGateways
    gw_auth
    (GATEWAY AUTHENTICATION)
    An array of the authentication methods used to connect to the GlobalProtect gateway.
    CEF field name: PanOSGatewayAuthentication
    EMAIL field name: GatewayAuthentication
    HTTPS field name: GatewayAuthentication
    LEEF field name: GatewayAuthentication
    gw_config_name
    (GATEWAY CONFIGURATION NAME)
    The name of the GlobalProtect gateway client settings configuration.
    CEF field name: PanOSGatewayConfigurationName
    EMAIL field name: GatewayConfigurationName
    HTTPS field name: GatewayConfigurationName
    LEEF field name: GatewayConfigurationName
    gw_dlsa_enabled
    (DLSA STATUS)
    Indicates whether local subnet access is enabled.
    CEF field name: PanOSDLSAstatus
    EMAIL field name: DLSAstatus
    HTTPS field name: DLSAstatus
    LEEF field name: DLSAstatus
    gw_fall_back_to_ssl
    (FALLBACK TO SSL REASON)
    The reason why the GlobalProtect client fell back to SSL to connect to the gateway.
    CEF field name: PanOSFallbacktoSSLReason
    EMAIL field name: FallbacktoSSLReason
    HTTPS field name: FallbacktoSSLReason
    LEEF field name: FallbacktoSSLReason
    gw_ipsec_enabled
    (IPSEC ENABLED)
    Indicates whether IPsec tunnel mode s enabled.
    CEF field name: PanOSIPSecEnabled
    EMAIL field name: IPSecEnabled
    HTTPS field name: IPSecEnabled
    LEEF field name: IPSecEnabled
    gw_ipsec_failure_reason
    (IPSEC FAILURE REASON)
    The reason why the IPsec tunnel connection failed.
    CEF field name: PanOSIPSecFailureReason
    EMAIL field name: IPSecFailureReason
    HTTPS field name: IPSecFailureReason
    LEEF field name: IPSecFailureReason
    gw_jitter
    (JITTER)
    The gateway jitter in milliseconds.
    CEF field name: PanOSJitter
    EMAIL field name: Jitter
    HTTPS field name: Jitter
    LEEF field name: Jitter
    gw_latency
    (LATENCY)
    The gateway latency in milliseconds.
    CEF field name: PanOSLatency
    EMAIL field name: Latency
    HTTPS field name: Latency
    LEEF field name: Latency
    gw_location
    (LOCATION)
    The geographic location of the gateway.
    CEF field name: PanOSLocation
    EMAIL field name: Location
    HTTPS field name: Location
    LEEF field name: Location
    gw_logout_time
    (LOGOUT TIME)
    The UTC time in milliseconds when the GlobalProtect client logged out from the gateway.
    CEF field name: PanOSGatewayLogoutTime
    EMAIL field name: GatewayLogoutTime
    HTTPS field name: GatewayLogoutTime
    LEEF field name: GatewayLogoutTime
    gw_packet_loss
    (PACKET LOSS)
    The percentage of packets lost from gateway traffic.
    CEF field name: PanOSPacketLoss
    EMAIL field name: PacketLoss
    HTTPS field name: PacketLoss
    LEEF field name: PacketLoss
    gw_reachable
    (GATEWAY REACHABLE)
    Indicates whether the gateway is reachable.
    CEF field name: PanOSGatewayReachable
    EMAIL field name: GatewayReachable
    HTTPS field name: GatewayReachable
    LEEF field name: GatewayReachable
    gw_server_cert
    (GATEWAY SSL CERTIFICATE VALID)
    Indicates whether the gateway server certificate is valid.
    CEF field name: PanOSGatewaySSLCertificateValid
    EMAIL field name: GatewaySSLCertificateValid
    HTTPS field name: GatewaySSLCertificateValid
    LEEF field name: GatewaySSLCertificateValid
    gw_ssl_failure_reason
    (SSL FAILURE REASON)
    The reason why the SSL tunnel connection failed.
    CEF field name: PanOSSSLFailureReason
    EMAIL field name: SSLFailureReason
    HTTPS field name: SSLFailureReason
    LEEF field name: SSLFailureReason
    gw_status
    (GATEWAY STATUS)
    The status of the GlobalProtect gateway.
    CEF field name: PanOSGatewayStatus
    EMAIL field name: GatewayStatus
    HTTPS field name: GatewayStatus
    LEEF field name: GatewayStatus
    gw_tunnel_renamed
    (TUNNEL RENAME)
    Indicates whether the pre-logon tunnel was renamed to a user tunnel.
    CEF field name: PanOSTunnelRename
    EMAIL field name: TunnelRename
    HTTPS field name: TunnelRename
    LEEF field name: TunnelRename
    has_privileges
    (PRIVILEGES)
    Indicates whether GlobalProtect has the necessary permissions on the endpoint to function.
    CEF field name: PanOSPrivileges
    EMAIL field name: Privileges
    HTTPS field name: Privileges
    LEEF field name: Privileges
    host_gmt_timeoffset
    (HOST TIME OFFSET)
    The difference between the time zone of the endpoint and GMT.
    Syslog field name: Syslog Field Order
    CEF field name: dtz
    EMAIL field name: HostTimeOffset
    HTTPS field name: HostTimeOffset
    LEEF field name: HostTimeOffset
    host_id
    (GLOBALPROTECT HOST ID)
    The unique identifier created by GlobalProtect for the endpoint.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSHostID
    EMAIL field name: HostID
    HTTPS field name: HostID
    LEEF field name: HostID
    host_name
    (HOSTNAME)
    The host name of the endpoint.
    Syslog field name: Syslog Field Order
    CEF field name: dvchost
    EMAIL field name: Hostname
    HTTPS field name: Hostname
    LEEF field name: identHostName
    install_history
    (INSTALL HISTORY)
    Indicates whether GlobalProtect is newly installed, upgraded, or downgraded.
    CEF field name: PanOSInstallHistory
    EMAIL field name: InstallHistory
    HTTPS field name: InstallHistory
    LEEF field name: InstallHistory
    internal_network
    (INTERNAL NETWORK)
    Indicates whether the endpoint is in an internal network.
    CEF field name: PanOSInternalNetwork
    EMAIL field name: InternalNetwork
    HTTPS field name: InternalNetwork
    LEEF field name: InternalNetwork
    internet_access
    (INTERNET ACCESS)
    Indicates whether the endpoint has internet access.
    CEF field name: PanOSInternetAccess
    EMAIL field name: InternetAccess
    HTTPS field name: InternetAccess
    LEEF field name: InternetAccess
    jail_broken
    (JAILBROKEN STATUS)
    Indicates whether the mobile device is jailbroken.
    CEF field name: PanOSJailbrokenStatus
    EMAIL field name: JailbrokenStatus
    HTTPS field name: JailbrokenStatus
    LEEF field name: JailbrokenStatus
    last_hip_report_time
    (LAST HIP REPORT TIME)
    The last time GlobalProtect sent a Host Information Profile (HIP) report.
    CEF field name: PanOSLastHIPReportTime
    EMAIL field name: LastHIPReportTime
    HTTPS field name: LastHIPReportTime
    LEEF field name: LastHIPReportTime
    last_logout_time
    (LAST LOGOUT TIME)
    The last time a user logged out of GlobalProtect in millisecond UTC.
    CEF field name: PanOSLastLogoutTime
    EMAIL field name: LastLogoutTime
    HTTPS field name: LastLogoutTime
    LEEF field name: LastLogoutTime
    locale
    (LOCALE)
    The language locale name. Example:
    en-us;English (United States)
    Syslog field name: Syslog Field Order
    CEF field name: PanOSLocale
    EMAIL field name: Locale
    HTTPS field name: Locale
    LEEF field name: Locale
    log_type.​value
    (LOG TYPE)
    A required LEEF header field that describes the log type. In this case, GlobalProtect Troubleshooting.
    Syslog field name: Syslog Field Order
    CEF field name: Device Event Class ID
    EMAIL field name: LogType
    HTTPS field name: LogType
    LEEF field name: cat
    memory_total
    (TOTAL MEMORY)
    The total memory on the endpoint.
    CEF field name: PanOSTotalMemory
    EMAIL field name: TotalMemory
    HTTPS field name: TotalMemory
    LEEF field name: TotalMemory
    memory_usage
    (MEMORY USAGE)
    The total memory usage on the endpoint.
    CEF field name: PanOSMemoryUsage
    EMAIL field name: MemoryUsage
    HTTPS field name: MemoryUsage
    LEEF field name: MemoryUsage
    memory_usage_gp
    (GLOBALPROTECT MEMORY USAGE)
    The memory resources used by GlobalProtect on the endpoint.
    CEF field name: PanOSGlobalProtectMemoryUsage
    EMAIL field name: GlobalProtectMemoryUsage
    HTTPS field name: GlobalProtectMemoryUsage
    LEEF field name: GlobalProtectMemoryUsage
    network_access
    (NETWORK ACCESS)
    Indicates whether the endpoint has network access.
    CEF field name: PanOSNetworkAccess
    EMAIL field name: NetworkAccess
    HTTPS field name: NetworkAccess
    LEEF field name: NetworkAccess
    network_latency
    (PORTALGATEWAY LATENCY)
    The network latency in milliseconds.
    CEF field name: PanOSPortalGatewayLatency
    EMAIL field name: PortalGatewayLatency
    HTTPS field name: PortalGatewayLatency
    LEEF field name: PortalGatewayLatency
    network_type
    (TYPE)
    The network type that the endpoint is accessing, such as WiFi, Ethernet, or LTE.
    CEF field name: PanOSType
    EMAIL field name: Type
    HTTPS field name: Type
    LEEF field name: Type
    os
    (OPERATING SYSTEM)
    The operating system of the device from which a user is reporting an issue.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSOperatingSystem
    EMAIL field name: OperatingSystem
    HTTPS field name: OperatingSystem
    LEEF field name: OperatingSystem
    panorama_serial
    (PANORAMA SN)
    Panorama Serial associated with CDL.
    CEF field name: PanOSPanoramaSN
    EMAIL field name: PanoramaSN
    HTTPS field name: PanoramaSN
    LEEF field name: PanoramaSN
    portal_address
    (PORTAL ADDRESS)
    The IP address of the last connected GlobalProtect portal.
    CEF field name: PanOSPortalAddress
    EMAIL field name: PortalAddress
    HTTPS field name: PortalAddress
    LEEF field name: PortalAddress
    portal_auth
    (PORTAL AUTHENTICATION)
    The authentication methods used to connect to the GlobalProtect portal.
    CEF field name: PanOSPortalAuthentication
    EMAIL field name: PortalAuthentication
    HTTPS field name: PortalAuthentication
    LEEF field name: PortalAuthentication
    portal_cached_config
    (CACHED CONFIGURATION)
    Indicates whether the client is using a cached configuration to connect to the GlobalProtect portal.
    CEF field name: PanOSCachedConfiguration
    EMAIL field name: CachedConfiguration
    HTTPS field name: CachedConfiguration
    LEEF field name: CachedConfiguration
    portal_config_name
    (PORTAL CONFIGURATION NAME)
    The name of the GlobalProtect portal configuration if the client is connected to a portal.
    CEF field name: PanOSPortalConfigurationName
    EMAIL field name: PortalConfigurationName
    HTTPS field name: PortalConfigurationName
    LEEF field name: PortalConfigurationName
    portal_config_refresh
    (CONFIGURATION REFRESH)
    Indicates whether the GlobalProtect portal configuration has been refreshed.
    CEF field name: PanOSConfigurationRefresh
    EMAIL field name: ConfigurationRefresh
    HTTPS field name: ConfigurationRefresh
    LEEF field name: ConfigurationRefresh
    portal_last_connect_time
    (LAST CONNECT TIME)
    The last time the client connected to a GlobalProtect portal.
    CEF field name: flexDate1
    EMAIL field name: LastConnectTime
    HTTPS field name: LastConnectTime
    LEEF field name: LastConnectTime
    portal_reachable
    (PORTAL REACHABLE)
    Indicates whether the GlobalProtect portal is reachable and accepts a TCP connection.
    CEF field name: PanOSPortalReachable
    EMAIL field name: PortalReachable
    HTTPS field name: PortalReachable
    LEEF field name: PortalReachable
    portal_server_cert
    (PORTAL SSL CERTIFICATE VALID)
    Indicates whether the portal has a valid server certificate.
    CEF field name: PanOSPortalSSLCertificateValid
    EMAIL field name: PortalSSLCertificateValid
    HTTPS field name: PortalSSLCertificateValid
    LEEF field name: PortalSSLCertificateValid
    portal_status
    (PORTAL STATUS)
    The status of the portal before the user reported an issue.
    CEF field name: PanOSPortalStatus
    EMAIL field name: PortalStatus
    HTTPS field name: PortalStatus
    LEEF field name: PortalStatus
    proxy_server
    (PROXY SERVER)
    Indicates whether the endpoint is behind a proxy server.
    CEF field name: PanOSProxyServer
    EMAIL field name: ProxyServer
    HTTPS field name: ProxyServer
    LEEF field name: ProxyServer
    report_id
    (REPORT ID)
    The unique identifier for each issue reported by a user from the GlobalProtect app.
    Syslog field name: Syslog Field Order
    CEF field name: rt
    EMAIL field name: GeneratedTime
    HTTPS field name: GeneratedTime
    LEEF field name: devTime
    report_time
    (GENERATED TIME)
    The UTC in milliseconds when GlobalProtect sent a report.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSReportID
    EMAIL field name: ReportID
    HTTPS field name: ReportID
    LEEF field name: ReportID
    report_type
    (REPORT TYPE)
    Indicates the type of the report: troubleshooting or diagnostic.
    Syslog field name: Syslog Field Order
    CEF field name: Name
    EMAIL field name: ReportType
    HTTPS field name: ReportType
    LEEF field name: EventID
    serial_number
    (ENDPOINT SERIAL NUMBER)
    The serial number of the device.
    Syslog field name: Syslog Field Order
    CEF field name: deviceExternalId
    EMAIL field name: SerialNumber
    HTTPS field name: SerialNumber
    LEEF field name: SerialNumber
    server_performance
    (SERVER PERFORMANCE)
    The network latency of various destination URLs configured by an administrator on Panorama.
    CEF field name: PanOSServerPerformance
    EMAIL field name: ServerPerformance
    HTTPS field name: ServerPerformance
    LEEF field name: ServerPerformance
    split_tunnel_status
    (SPLIT-TUNNEL CONFIGURATION)
    Indicates the status of a split tunnel configured on GlobalProtect.
    CEF field name: PanOSSplit-tunnelconfiguration
    EMAIL field name: Split-tunnelconfiguration
    HTTPS field name: Split-tunnelconfiguration
    LEEF field name: Split-tunnelconfiguration
    user_comment
    (USER COMMENT)
    Comments that the user submitted with their issue report.
    CEF field name: PanOSUserComment
    EMAIL field name: UserComment
    HTTPS field name: UserComment
    LEEF field name: UserComment
    user_name
    (USERNAME)
    The name of the user who reported an issue.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSUsername
    EMAIL field name: Username
    HTTPS field name: Username
    LEEF field name: usrName

    © 2024 Palo Alto Networks, Inc. All rights reserved.