GlobalProtect

GlobalProtect logs identify network traffic between a GlobalProtect portal or gateway, and GlobalProtect apps.
See the following for information related to supported log formats:
GLOBALPROTECT Field
(Display Name)
Description
attempted_gateways
(ATTEMPTED GATEWAYS)
String of all gateways that were available and attempted for the client location. Contains gateway name, ssl response time, and priority, separated by a semicolon.
Syslog field name: Syslog Field Order
CEF field name: PanOSAttemptedGateways
EMAIL field name: AttemptedGateways
HTTPS field name: AttemptedGateways
LEEF field name: AttemptedGateways
auth_method
(AUTH METHOD)
Authentication method used for the GlobalProtect connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSAuthMethod
EMAIL field name: AuthMethod
HTTPS field name: AuthMethod
LEEF field name: AuthMethod
config_version.​value
(CONFIG VERSION)
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
connect_method
(CONNECTION METHOD)
Identifies how the GlobalProtect app connected to the the Gateway. For example,
on-demand
or
user-logon
.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionMethod
EMAIL field name: ConnectionMethod
HTTPS field name: ConnectionMethod
LEEF field name: ConnectionMethod
connection_error.​id
(CONNECTION ERROR ID)
Enumeration integer assigned to the connection_error field value.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionErrorID
EMAIL field name: ConnectionErrorID
HTTPS field name: ConnectionErrorID
LEEF field name: ConnectionErrorID
connection_error.​value
(CONNECTION ERROR)
Error information for unsuccessful connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSConnectionError
EMAIL field name: ConnectionError
HTTPS field name: ConnectionError
LEEF field name: ConnectionError
count_of_repeats
(COUNT OF REPEATS)
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order
CEF field name: PanOSCountOfRepeats
EMAIL field name: CountOfRepeats
HTTPS field name: CountOfRepeats
LEEF field name: CountOfRepeats
customer_id
(TENANT ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSTenantID
EMAIL field name: TenantID
HTTPS field name: TenantID
LEEF field name: TenantID
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
endpoint_device_name
(ENDPOINT DEVICE NAME)
Name of the device that the user used for the connection.
Syslog field name: Syslog Field Order
CEF field name: shost
EMAIL field name: EndpointDeviceName
HTTPS field name: EndpointDeviceName
LEEF field name: EndpointDeviceName
endpoint_gp_version
(GLOBALPROTECT CLIENT VERSION)
GlobalProtect client version number.
Syslog field name: Syslog Field Order
EMAIL field name: GlobalProtectClientVersion
HTTPS field name: GlobalProtectClientVersion
endpoint_os_type
(ENDPOINT OS TYPE)
OS type of the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointOSType
EMAIL field name: EndpointOSType
HTTPS field name: EndpointOSType
LEEF field name: EndpointOSType
endpoint_os_version
(ENDPOINT OS VERSION)
OS version of the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointOSVersion
EMAIL field name: EndpointOSVersion
HTTPS field name: EndpointOSVersion
LEEF field name: EndpointOSVersion
endpoint_serial_number
(ENDPOINT SN)
ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order
CEF field name: PanOSEndpointSN
EMAIL field name: EndpointSN
HTTPS field name: EndpointSN
LEEF field name: EndpointSN
event_id.​value
(EVENT ID VALUE)
The name of the event.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: EventIDValue
HTTPS field name: EventIDValue
LEEF field name: EventID
gateway
(GATEWAY)
Selected Gateway for the connection.
Syslog field name: Syslog Field Order
CEF field name: PanOSGateway
EMAIL field name: Gateway
HTTPS field name: Gateway
LEEF field name: Gateway
gateway_priority.​value
(GATEWAY PRIORITY)
Priority of gateway, retrieved from portal configuration.
Syslog field name: Syslog Field Order
CEF field name: PanOSGatewayPriority
EMAIL field name: GatewayPriority
HTTPS field name: GatewayPriority
LEEF field name: GatewayPriority
gateway_selection_type
(GATEWAY SELECTION TYPE)
Gateway Selection Method i.e automatic, preferred or manual.
Syslog field name: Syslog Field Order
EMAIL field name: GatewaySelectionType
HTTPS field name: GatewaySelectionType
LEEF field name: GatewaySelectionType
gpg_location
(GLOBALPROTECT GATEWAY LOCATION)
Location of the Global Protect Gateway.
Syslog field name: Syslog Field Order
host_id
(HOST ID)
Unique identifier GlobalProtect has assigned to the host.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: HostID
HTTPS field name: HostID
LEEF field name: HostID
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_forwarded
(LOG FORWARDED)
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
is_prisma_branch
(IS PRISMA NETWORKS)
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks
EMAIL field name: IsPrismaNetworks
HTTPS field name: IsPrismaNetworks
LEEF field name: IsPrismaNetworks
is_prisma_mobile
(IS PRISMA USERS)
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: sourceServiceName
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalID
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(TIME RECEIVED)
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
login_duration
(LOGIN DURATION)
Duration for which the connected user was logged on.
Syslog field name: Syslog Field Order
CEF field name: PanOSLoginDuration
EMAIL field name: LoginDuration
HTTPS field name: LoginDuration
LEEF field name: LoginDuration
opaque
(DESCRIPTION)
Additional information regarding the event.
Syslog field name: Syslog Field Order
CEF field name: PanOSDescription
EMAIL field name: Description
HTTPS field name: Description
LEEF field name: Description
portal
(PORTAL)
Global Protect Portal or Gateway that the user connected to.
Syslog field name: Syslog Field Order
CEF field name: PanOSPortal
EMAIL field name: Portal
HTTPS field name: Portal
LEEF field name: Portal
private_ip.​value
(PRIVATE IP (V4))
Private IP address (v4) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSPrivateIPv4
EMAIL field name: PrivateIPv4
HTTPS field name: PrivateIPv4
LEEF field name: PrivateIPv4
private_ipv6.​value
(PRIVATE IP (V6))
Private IP address (v6) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSPrivateIPv6
EMAIL field name: PrivateIPv6
HTTPS field name: PrivateIPv6
LEEF field name: PrivateIPv6
public_ip.​value
(PUBLIC IP (V4))
Public IP address (v4) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: src
EMAIL field name: PublicIPv4
HTTPS field name: PublicIPv4
LEEF field name: PublicIPv4
public_ipv6.​value
(PUBLIC IP (V6))
Public IP address (v6) of the user that connected.
Syslog field name: Syslog Field Order
CEF field name: c6a2
EMAIL field name: PublicIPv6
HTTPS field name: PublicIPv6
LEEF field name: PublicIPv6
quarantine_reason
(QUARANTINE REASON)
Quarantine reason.
Syslog field name: Syslog Field Order
CEF field name: PanOSQuarantineReason
EMAIL field name: QuarantineReason
HTTPS field name: QuarantineReason
LEEF field name: QuarantineReason
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: PanOSSequenceNo
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
source_region
(SOURCE REGION)
Region of the Gateway (or User) that connected.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceRegion
EMAIL field name: SourceRegion
HTTPS field name: SourceRegion
LEEF field name: SourceRegion
source_user
(SOURCE USER NAME)
The username that connected.
Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: usrName
source_user_info.​domain
(SOURCE USER DOMAIN)
Domain to which the Source User belongs.
CEF fields: All of the following: sntdom, dntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain
source_user_info.​name
(SOURCE USER INFO)
The Source User. That is, the username that initiated the network traffic.
CEF fields: All of the following: suser, duser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName
source_user_info.​uuid
(SOURCE USER UUID)
Unique identifier assigned to the Source User.
CEF fields: All of the following: suid, duid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID
ssl_response_time
(SSL RESPONSE TIME)
SSL Response Time in milliseconds.
Syslog field name: Syslog Field Order
CEF field name: PanOSSSLResponseTime
EMAIL field name: SSLResponseTime
HTTPS field name: SSLResponseTime
LEEF field name: SSLResponseTime
stage
(STAGE)
Name of the stage in the GlobalProtect connection workflow.
Syslog field name: Syslog Field Order
CEF field name: PanOSStage
EMAIL field name: Stage
HTTPS field name: Stage
LEEF field name: Stage
status.​value
(EVENT STATUS)
The status (success or failure) of the event.
Syslog field name: Syslog Field Order
CEF field name: outcome
EMAIL field name: EventStatus
HTTPS field name: EventStatus
LEEF field name: EventStatus
sub_type.​value
(LOG SUBTYPE)
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: PanOSLogSubtype
EMAIL field name: LogSubtype
HTTPS field name: LogSubtype
LEEF field name: SubType
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
tunnel
(TUNNEL TYPE)
Tunnel Type i.e. SSL or VPN.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelType
EMAIL field name: TunnelType
HTTPS field name: TunnelType
LEEF field name: TunnelType
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vsys
(VIRTUAL SYSTEM)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystem
EMAIL field name: VirtualSystem
HTTPS field name: VirtualSystem
LEEF field name: VirtualSystem
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Recommended For You