GlobalProtect
Focus
Focus
Strata Logging Service

GlobalProtect

Table of Contents

GlobalProtect

GlobalProtect logs identify network traffic between a GlobalProtect portal or gateway, and GlobalProtect apps.
See the following for information related to supported log formats:
GLOBALPROTECT Field
(Display Name)
Description
attempted_gateways
(ATTEMPTED GATEWAYS)
String of all gateways that were available and attempted for the client location. Contains gateway name, ssl response time, and priority, separated by a semicolon.
Syslog field name: Syslog Field Order
CEF field name: PanOSAttemptedGateways
EMAIL field name: AttemptedGateways
HTTPS field name: AttemptedGateways
LEEF field name: AttemptedGateways
auth_method
(AUTH METHOD)
Authentication method used for the GlobalProtect connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSAuthMethod
EMAIL field name: AuthMethod
HTTPS field name: AuthMethod
LEEF field name: AuthMethod
config_version.​value
(CONFIG VERSION)
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
connect_method
(CONNECTION METHOD)
Identifies how the GlobalProtect app connected to the the Gateway. For example, on-demand or user-logon.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionMethod
EMAIL field name: ConnectionMethod
HTTPS field name: ConnectionMethod
LEEF field name: ConnectionMethod
connection_error.​id
(CONNECTION ERROR ID)
Enumeration integer assigned to the connection_error field value.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionErrorID
EMAIL field name: ConnectionErrorID
HTTPS field name: ConnectionErrorID
LEEF field name: ConnectionErrorID
connection_error.​value
(CONNECTION ERROR)
Error information for unsuccessful connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionError
EMAIL field name: ConnectionError
HTTPS field name: ConnectionError
LEEF field name: ConnectionError
count_of_repeats
(COUNT OF REPEATS)
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order
CEF field name: PanOSCountOfRepeats
EMAIL field name: CountOfRepeats
HTTPS field name: CountOfRepeats
LEEF field name: CountOfRepeats
customer_id
(TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID
LEEF field name: TenantID
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
endpoint_device_name
(ENDPOINT DEVICE NAME)
Name of the device that the user used for the connection.
Syslog field name: Syslog Field Order
CEF field name: shost
EMAIL field name: EndpointDeviceName
HTTPS field name: EndpointDeviceName
LEEF field name: EndpointDeviceName
endpoint_gp_version
(GLOBALPROTECT CLIENT VERSION)
GlobalProtect client version number.
Syslog field name: Syslog Field Order
EMAIL field name: GlobalProtectClientVersion
HTTPS field name: GlobalProtectClientVersion
endpoint_os_type
(ENDPOINT OS TYPE)
OS type of the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointOSType
EMAIL field name: EndpointOSType
HTTPS field name: EndpointOSType
LEEF field name: EndpointOSType
endpoint_os_version
(ENDPOINT OS VERSION)
OS version of the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointOSVersion
EMAIL field name: EndpointOSVersion
HTTPS field name: EndpointOSVersion
LEEF field name: EndpointOSVersion
endpoint_serial_number
(ENDPOINT SN)
ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointSN
EMAIL field name: EndpointSN
HTTPS field name: EndpointSN
LEEF field name: EndpointSN
event_id.​value
(EVENT ID VALUE)
The name of the event.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: EventIDValue
HTTPS field name: EventIDValue
LEEF field name: EventID
gateway
(GATEWAY)
Selected Gateway for the connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSGateway
EMAIL field name: Gateway
HTTPS field name: Gateway
LEEF field name: Gateway
gateway_priority.​value
(GATEWAY PRIORITY)
Priority of gateway, retrieved from portal configuration.
Syslog field name: Syslog Field Order
CEF field name: PanOSGatewayPriority
EMAIL field name: GatewayPriority
HTTPS field name: GatewayPriority
LEEF field name: GatewayPriority
gateway_selection_type
(GATEWAY SELECTION TYPE)
Gateway Selection Method i.e automatic, preferred or manual.
Syslog field name: Syslog Field Order
EMAIL field name: GatewaySelectionType
HTTPS field name: GatewaySelectionType
LEEF field name: GatewaySelectionType
gpg_location
(GLOBALPROTECT GATEWAY LOCATION)
Location of the Global Protect Gateway.
Syslog field name: Syslog Field Order
host_id
(HOST ID)
Unique identifier GlobalProtect has assigned to the host.
Syslog field name: Syslog Field Order
CEF field name: PanOSHostID
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from Strata Logging Service as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_forwarded
(LOG FORWARDED)
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
is_prisma_branch
(IS PRISMA NETWORKS)
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks
is_prisma_mobile
(IS PRISMA USERS)
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: sourceServiceName
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_group_id
(LOG SOURCE GROUP ID)
ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
CEF field name: LogSourceGroupID
EMAIL field name: LogSourceGroupID
HTTPS field name: LogSourceGroupID
LEEF field name: LogSourceGroupID
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalID
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(TIME RECEIVED)
Time the log was received in Strata Logging Service. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
login_duration
(LOGIN DURATION)
Duration for which the connected user was logged on.
Syslog field name: Syslog Field Order
CEF field name: PanOSLoginDuration
EMAIL field name: LoginDuration
HTTPS field name: LoginDuration
LEEF field name: LoginDuration
opaque
(DESCRIPTION)
Additional information regarding the event.
Syslog field name: Syslog Field Order
CEF field name: PanOSDescription
EMAIL field name: Description
HTTPS field name: Description
LEEF field name: Description
panorama_serial
(PANORAMA SN)
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN
EMAIL field name: PanoramaSN
HTTPS field name: PanoramaSN
LEEF field name: PanoramaSN
platform_type
(PLATFORM TYPE)
The platform type (Valid types are VM, PA, NGFW, CNGFW).
CEF field name: PlatformType
EMAIL field name: PlatformType
HTTPS field name: PlatformType
LEEF field name: PlatformType
portal
(PORTAL)
Global Protect Portal or Gateway that the user connected to.
Syslog field name: Syslog Field Order
CEF field name: PanOSPortal
EMAIL field name: Portal
HTTPS field name: Portal
LEEF field name: Portal
private_ip.​value
(PRIVATE IPV4)
Private IP address (v4) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSPrivateIPv4
EMAIL field name: PrivateIPv4
HTTPS field name: PrivateIPv4
LEEF field name: PrivateIPv4
private_ipv6.​value
(PRIVATE IPV6)
Private IP address (v6) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSPrivateIPv6
EMAIL field name: PrivateIPv6
HTTPS field name: PrivateIPv6
LEEF field name: PrivateIPv6
project_name
(PROJECT NAME)
Reserved for future use.
CEF field name: ProjectName
EMAIL field name: ProjectName
HTTPS field name: ProjectName
LEEF field name: ProjectName
public_ip.​value
(PUBLIC IPV4)
Public IP address (v4) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: src
EMAIL field name: PublicIPv4
HTTPS field name: PublicIPv4
LEEF field name: PublicIPv4
public_ipv6.​value
(PUBLIC IPV6)
Public IP address (v6) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: c6a2
EMAIL field name: PublicIPv6
HTTPS field name: PublicIPv6
LEEF field name: PublicIPv6
quarantine_reason
(QUARANTINE REASON)
Quarantine reason.
Syslog field name: Syslog Field Order
CEF field name: PanOSQuarantineReason
EMAIL field name: QuarantineReason
HTTPS field name: QuarantineReason
LEEF field name: QuarantineReason
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: PanOSSequenceNo
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
source_region
(SOURCE REGION)
Region of the Gateway (or User) that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceRegion
EMAIL field name: SourceRegion
HTTPS field name: SourceRegion
LEEF field name: SourceRegion
source_user
(SOURCE USER NAME)
The username that connected.
Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: usrName
source_user_info.​domain
(SOURCE USER DOMAIN)
Domain to which the Source User belongs.
CEF fields: All of the following: sntdom, dntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain
source_user_info.​name
(SOURCE USER INFO)
The Source User. That is, the username that initiated the network traffic.
CEF fields: All of the following: suser, duser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName
source_user_info.​uuid
(SOURCE USER UUID)
Unique identifier assigned to the Source User.
CEF fields: All of the following: suid, duid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID
ssl_response_time
(SSL RESPONSE TIME)
SSL Response Time in milliseconds.
Syslog field name: Syslog Field Order
CEF field name: PanOSSSLResponseTime
EMAIL field name: SSLResponseTime
HTTPS field name: SSLResponseTime
LEEF field name: SSLResponseTime
stage
(STAGE)
Name of the stage in the GlobalProtect connection workflow.
Syslog field name: Syslog Field Order
CEF field name: PanOSStage
EMAIL field name: Stage
HTTPS field name: Stage
LEEF field name: Stage
status.​value
(EVENT STATUS)
The status (success or failure) of the event.
Syslog field name: Syslog Field Order
CEF field name: outcome
EMAIL field name: EventStatus
HTTPS field name: EventStatus
LEEF field name: EventStatus
sub_type.​value
(LOG SUBTYPE)
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: PanOSLogSubtype
EMAIL field name: LogSubtype
HTTPS field name: LogSubtype
LEEF field name: SubType
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
tunnel
(TUNNEL TYPE)
Tunnel Type i.e. SSL or VPN.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelType
EMAIL field name: TunnelType
HTTPS field name: TunnelType
LEEF field name: TunnelType
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vsys
(VIRTUAL SYSTEM)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystem
EMAIL field name: VirtualSystem
HTTPS field name: VirtualSystem
LEEF field name: VirtualSystem
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName