>
    GlobalProtect
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Network Logs
    4. GlobalProtect
    Download PDF
    Strata Logging Service

    GlobalProtect

    Table of Contents

    GlobalProtect

    GlobalProtect logs identify network traffic between a GlobalProtect portal or gateway, and GlobalProtect apps.
    See the following for information related to supported log formats:
    GLOBALPROTECT Field
    (Display Name)
    Description
    attempted_gateways
    (ATTEMPTED GATEWAYS)
    String of all gateways that were available and attempted for the client location. Contains gateway name, ssl response time, and priority, separated by a semicolon.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSAttemptedGateways
    EMAIL field name: AttemptedGateways
    HTTPS field name: AttemptedGateways
    LEEF field name: AttemptedGateways
    auth_method
    (AUTH METHOD)
    Authentication method used for the GlobalProtect connection.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSAuthMethod
    EMAIL field name: AuthMethod
    HTTPS field name: AuthMethod
    LEEF field name: AuthMethod
    config_version.​value
    (CONFIG VERSION)
    Version number of the firewall operating system that wrote this log record.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSConfigVersion
    EMAIL field name: ConfigVersion
    HTTPS field name: ConfigVersion
    LEEF field name: ConfigVersion
    connect_method
    (CONNECTION METHOD)
    Identifies how the GlobalProtect app connected to the the Gateway. For example, on-demand or user-logon.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSConnectionMethod
    EMAIL field name: ConnectionMethod
    HTTPS field name: ConnectionMethod
    LEEF field name: ConnectionMethod
    connection_error.​id
    (CONNECTION ERROR ID)
    Enumeration integer assigned to the connection_error field value.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSConnectionErrorID
    EMAIL field name: ConnectionErrorID
    HTTPS field name: ConnectionErrorID
    LEEF field name: ConnectionErrorID
    connection_error.​value
    (CONNECTION ERROR)
    Error information for unsuccessful connection.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSConnectionError
    EMAIL field name: ConnectionError
    HTTPS field name: ConnectionError
    LEEF field name: ConnectionError
    count_of_repeats
    (COUNT OF REPEATS)
    Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSCountOfRepeats
    EMAIL field name: CountOfRepeats
    HTTPS field name: CountOfRepeats
    LEEF field name: CountOfRepeats
    customer_id
    (TENANT ID)
    The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
    CEF field name: PanOSTenantID
    EMAIL field name: TenantID
    HTTPS field name: TenantID
    LEEF field name: TenantID
    dg_hier_level_1
    (DG HIERARCHY LEVEL 1)
    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDGHierarchyLevel1
    EMAIL field name: DGHierarchyLevel1
    HTTPS field name: DGHierarchyLevel1
    LEEF field name: DGHierarchyLevel1
    dg_hier_level_2
    (DG HIERARCHY LEVEL 2)
    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDGHierarchyLevel2
    EMAIL field name: DGHierarchyLevel2
    HTTPS field name: DGHierarchyLevel2
    LEEF field name: DGHierarchyLevel2
    dg_hier_level_3
    (DG HIERARCHY LEVEL 3)
    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDGHierarchyLevel3
    EMAIL field name: DGHierarchyLevel3
    HTTPS field name: DGHierarchyLevel3
    LEEF field name: DGHierarchyLevel3
    dg_hier_level_4
    (DG HIERARCHY LEVEL 4)
    A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDGHierarchyLevel4
    EMAIL field name: DGHierarchyLevel4
    HTTPS field name: DGHierarchyLevel4
    LEEF field name: DGHierarchyLevel4
    endpoint_device_name
    (ENDPOINT DEVICE NAME)
    Name of the device that the user used for the connection.
    Syslog field name: Syslog Field Order
    CEF field name: shost
    EMAIL field name: EndpointDeviceName
    HTTPS field name: EndpointDeviceName
    LEEF field name: EndpointDeviceName
    endpoint_gp_version
    (GLOBALPROTECT CLIENT VERSION)
    GlobalProtect client version number.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSGlobalProtectClientVersion
    EMAIL field name: GlobalProtectClientVersion
    HTTPS field name: GlobalProtectClientVersion
    LEEF field name: GlobalProtectClientVersion
    endpoint_os_type
    (ENDPOINT OS TYPE)
    OS type of the endpoint on which the GlobalProtect client is deployed.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSEndpointOSType
    EMAIL field name: EndpointOSType
    HTTPS field name: EndpointOSType
    LEEF field name: EndpointOSType
    endpoint_os_version
    (ENDPOINT OS VERSION)
    OS version of the endpoint on which the GlobalProtect client is deployed.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSEndpointOSVersion
    EMAIL field name: EndpointOSVersion
    HTTPS field name: EndpointOSVersion
    LEEF field name: EndpointOSVersion
    endpoint_serial_number
    (ENDPOINT SN)
    ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSEndpointSN
    EMAIL field name: EndpointSN
    HTTPS field name: EndpointSN
    LEEF field name: EndpointSN
    event_id.​value
    (EVENT ID VALUE)
    The name of the event.
    Syslog field name: Syslog Field Order
    CEF field name: Name
    EMAIL field name: EventIDValue
    HTTPS field name: EventIDValue
    LEEF field name: EventID
    gateway
    (GATEWAY)
    Selected Gateway for the connection.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSGateway
    EMAIL field name: Gateway
    HTTPS field name: Gateway
    LEEF field name: Gateway
    gateway_priority.​value
    (GATEWAY PRIORITY)
    Priority of gateway, retrieved from portal configuration.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSGatewayPriority
    EMAIL field name: GatewayPriority
    HTTPS field name: GatewayPriority
    LEEF field name: GatewayPriority
    gateway_selection_type
    (GATEWAY SELECTION TYPE)
    Gateway Selection Method i.e automatic, preferred or manual.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSGatewaySelectionType
    EMAIL field name: GatewaySelectionType
    HTTPS field name: GatewaySelectionType
    LEEF field name: GatewaySelectionType
    gpg_location
    (GLOBALPROTECT GATEWAY LOCATION)
    Location of the Global Protect Gateway.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSGlobalProtectGatewayLocation
    EMAIL field name: GlobalProtectGatewayLocation
    HTTPS field name: GlobalProtectGatewayLocation
    LEEF field name: GlobalProtectGatewayLocation
    host_id
    (HOST ID)
    Unique identifier GlobalProtect has assigned to the host.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSHostID
    EMAIL field name: HostID
    HTTPS field name: HostID
    LEEF field name: HostID
    is_dup_log
    (IS DUPLICATE LOG)
    Indicates whether this log data is available in multiple locations, such as from Strata Logging Service as well as from an on-premise log collector.
    CEF field name: PanOSIsDuplicateLog
    EMAIL field name: IsDuplicateLog
    HTTPS field name: IsDuplicateLog
    LEEF field name: IsDuplicateLog
    is_exported
    (LOG EXPORTED)
    Indicates if this log was exported from the firewall using the firewall's log export function.
    CEF field name: PanOSLogExported
    EMAIL field name: LogExported
    HTTPS field name: LogExported
    LEEF field name: LogExported
    is_forwarded
    (LOG FORWARDED)
    Internal-use field that indicates if the log is being forwarded.
    CEF field name: PanOSLogForwarded
    EMAIL field name: LogForwarded
    HTTPS field name: LogForwarded
    LEEF field name: LogForwarded
    is_prisma_branch
    (IS PRISMA NETWORKS)
    Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
    CEF field name: PanOSIsPrismaNetworks
    EMAIL field name: IsPrismaNetworks
    HTTPS field name: IsPrismaNetworks
    LEEF field name: IsPrismaNetworks
    is_prisma_mobile
    (IS PRISMA USERS)
    Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
    CEF field name: PanOSIsPrismaUsers
    EMAIL field name: IsPrismaUsers
    HTTPS field name: IsPrismaUsers
    LEEF field name: IsPrismaUsers
    log_source
    (LOG SOURCE)
    Identifies the origin of the data. That is, the system that produced the data.
    CEF field name: sourceServiceName
    EMAIL field name: LogSource
    HTTPS field name: LogSource
    LEEF field name: LogSource
    log_source_group_id
    (LOG SOURCE GROUP ID)
    ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
    CEF field name: LogSourceGroupID
    EMAIL field name: LogSourceGroupID
    HTTPS field name: LogSourceGroupID
    LEEF field name: LogSourceGroupID
    log_source_id
    (DEVICE SN)
    ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
    If the log is generated by Prisma Access, the serial number is not displayed.
    Syslog field name: Syslog Field Order
    CEF field name: deviceExternalID
    EMAIL field name: DeviceSN
    HTTPS field name: DeviceSN
    LEEF field name: DeviceSN
    log_source_name
    (DEVICE NAME)
    Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
    Syslog field name: Syslog Field Order
    CEF field name: dvchost
    EMAIL field name: DeviceName
    HTTPS field name: DeviceName
    LEEF field name: DeviceName
    log_source_tz_offset
    (LOG SOURCE TIMEZONE OFFSET)
    Time Zone offset from GMT of the source of the log.
    CEF field name: PanOSLogSourceTimeZoneOffset
    EMAIL field name: LogSourceTimeZoneOffset
    HTTPS field name: LogSourceTimeZoneOffset
    LEEF field name: LogSourceTimeZoneOffset
    log_time
    (TIME RECEIVED)
    Time the log was received in Strata Logging Service. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    Syslog field name: Syslog Field Order
    CEF field name: rt
    EMAIL field name: TimeReceived
    HTTPS field name: TimeReceived
    LEEF field name: TimeReceived
    log_type.​value
    (LOG TYPE)
    Identifies the log type.
    Syslog field name: Syslog Field Order
    CEF field name: Device Event Class ID
    EMAIL field name: LogType
    HTTPS field name: LogType
    LEEF field name: cat
    login_duration
    (LOGIN DURATION)
    Duration for which the connected user was logged on.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSLoginDuration
    EMAIL field name: LoginDuration
    HTTPS field name: LoginDuration
    LEEF field name: LoginDuration
    opaque
    (DESCRIPTION)
    Additional information regarding the event.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSDescription
    EMAIL field name: Description
    HTTPS field name: Description
    LEEF field name: Description
    panorama_serial
    (PANORAMA SN)
    Panorama Serial associated with CDL.
    CEF field name: PanOSPanoramaSN
    EMAIL field name: PanoramaSN
    HTTPS field name: PanoramaSN
    LEEF field name: PanoramaSN
    platform_type
    (PLATFORM TYPE)
    The platform type (Valid types are VM, PA, NGFW, CNGFW).
    CEF field name: PlatformType
    EMAIL field name: PlatformType
    HTTPS field name: PlatformType
    LEEF field name: PlatformType
    portal
    (PORTAL)
    Global Protect Portal or Gateway that the user connected to.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSPortal
    EMAIL field name: Portal
    HTTPS field name: Portal
    LEEF field name: Portal
    private_ip.​value
    (PRIVATE IPV4)
    Private IP address (v4) of the user that connected.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSPrivateIPv4
    EMAIL field name: PrivateIPv4
    HTTPS field name: PrivateIPv4
    LEEF field name: PrivateIPv4
    private_ipv6.​value
    (PRIVATE IPV6)
    Private IP address (v6) of the user that connected.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSPrivateIPv6
    EMAIL field name: PrivateIPv6
    HTTPS field name: PrivateIPv6
    LEEF field name: PrivateIPv6
    project_name
    (PROJECT NAME)
    Reserved for future use.
    CEF field name: ProjectName
    EMAIL field name: ProjectName
    HTTPS field name: ProjectName
    LEEF field name: ProjectName
    public_ip.​value
    (PUBLIC IPV4)
    Public IP address (v4) of the user that connected.
    Syslog field name: Syslog Field Order
    CEF field name: src
    EMAIL field name: PublicIPv4
    HTTPS field name: PublicIPv4
    LEEF field name: PublicIPv4
    public_ipv6.​value
    (PUBLIC IPV6)
    Public IP address (v6) of the user that connected.
    Syslog field name: Syslog Field Order
    CEF field name: c6a2
    EMAIL field name: PublicIPv6
    HTTPS field name: PublicIPv6
    LEEF field name: PublicIPv6
    quarantine_reason
    (QUARANTINE REASON)
    Quarantine reason.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSQuarantineReason
    EMAIL field name: QuarantineReason
    HTTPS field name: QuarantineReason
    LEEF field name: QuarantineReason
    sequence_no
    (SEQUENCE NO)
    The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSequenceNo
    EMAIL field name: SequenceNo
    HTTPS field name: SequenceNo
    LEEF field name: SequenceNo
    source_region
    (SOURCE REGION)
    Region of the Gateway (or User) that connected.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSourceRegion
    EMAIL field name: SourceRegion
    HTTPS field name: SourceRegion
    LEEF field name: SourceRegion
    source_user
    (SOURCE USER NAME)
    The username that connected.
    Syslog field name: Syslog Field Order
    CEF field name: suser
    EMAIL field name: SourceUserName
    HTTPS field name: SourceUserName
    LEEF field name: usrName
    source_user_info.​domain
    (SOURCE USER DOMAIN)
    Domain to which the Source User belongs.
    CEF fields: All of the following: sntdom, dntdom
    EMAIL field name: SourceUserDomain
    HTTPS field name: SourceUserDomain
    LEEF field name: SourceUserDomain
    source_user_info.​name
    (SOURCE USER INFO)
    The Source User. That is, the username that initiated the network traffic.
    CEF fields: All of the following: suser, duser
    EMAIL field name: SourceUserName
    HTTPS field name: SourceUserName
    LEEF field name: SourceUserName
    source_user_info.​uuid
    (SOURCE USER UUID)
    Unique identifier assigned to the Source User.
    CEF fields: All of the following: suid, duid
    EMAIL field name: SourceUserUUID
    HTTPS field name: SourceUserUUID
    LEEF field name: SourceUserUUID
    ssl_response_time
    (SSL RESPONSE TIME)
    SSL Response Time in milliseconds.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSSSLResponseTime
    EMAIL field name: SSLResponseTime
    HTTPS field name: SSLResponseTime
    LEEF field name: SSLResponseTime
    stage
    (STAGE)
    Name of the stage in the GlobalProtect connection workflow.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSStage
    EMAIL field name: Stage
    HTTPS field name: Stage
    LEEF field name: Stage
    status.​value
    (EVENT STATUS)
    The status (success or failure) of the event.
    Syslog field name: Syslog Field Order
    CEF field name: outcome
    EMAIL field name: EventStatus
    HTTPS field name: EventStatus
    LEEF field name: EventStatus
    sub_type.​value
    (LOG SUBTYPE)
    Identifies the log subtype.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSLogSubtype
    EMAIL field name: LogSubtype
    HTTPS field name: LogSubtype
    LEEF field name: SubType
    time_generated
    (TIME GENERATED)
    Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    Syslog field name: Syslog Field Order
    CEF field name: start
    EMAIL field name: TimeGenerated
    HTTPS field name: TimeGenerated
    LEEF field name: devTime
    time_generated_high_res
    (TIME GENERATED HIGH RESOLUTION)
    Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSTimeGeneratedHighResolution
    EMAIL field name: TimeGeneratedHighResolution
    HTTPS field name: TimeGeneratedHighResolution
    LEEF field name: TimeGeneratedHighResolution
    tunnel
    (TUNNEL TYPE)
    Tunnel Type i.e. SSL or VPN.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSTunnelType
    EMAIL field name: TunnelType
    HTTPS field name: TunnelType
    LEEF field name: TunnelType
    vendor_name
    (VENDOR NAME)
    Identifies the vendor that produced the data.
    CEF field name: Device Vendor
    EMAIL field name: VendorName
    HTTPS field name: VendorName
    LEEF field name: Vendor
    vsys
    (VIRTUAL SYSTEM)
    String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSVirtualSystem
    EMAIL field name: VirtualSystem
    HTTPS field name: VirtualSystem
    LEEF field name: VirtualSystem
    vsys_id
    (VIRTUAL SYSTEM ID)
    A unique identifier for a virtual system on a Palo Alto Networks firewall.
    Syslog field name: Syslog Field Order
    CEF field name: PanOSVirtualSystemID
    EMAIL field name: VirtualSystemID
    HTTPS field name: VirtualSystemID
    LEEF field name: VirtualSystemID
    vsys_name
    (VIRTUAL SYSTEM NAME)
    The name of the virtual system associated with the network traffic.
    Syslog field name: Syslog Field Order
    CEF field name: cs3
    EMAIL field name: VirtualSystemName
    HTTPS field name: VirtualSystemName
    LEEF field name: VirtualSystemName

    © 2024 Palo Alto Networks, Inc. All rights reserved.