GlobalProtect
Table of Contents
GlobalProtect
GlobalProtect logs identify network traffic between a GlobalProtect portal or gateway, and
GlobalProtect apps.
See the following for information related to supported log formats:
GLOBALPROTECT Field
(Display Name)
|
Description
|
|---|---|
attempted_gateways
(ATTEMPTED GATEWAYS)
|
String of all gateways that were available and attempted for the client location. Contains gateway name, ssl response time, and priority, separated by a semicolon.
Syslog field name: Syslog Field Order CEF field name: PanOSAttemptedGateways EMAIL field name: AttemptedGateways HTTPS field name: AttemptedGateways LEEF field name: AttemptedGateways |
auth_method
(AUTH METHOD)
|
Authentication method used for the GlobalProtect connection.
Syslog field name: Syslog Field Order CEF field name: PanOSAuthMethod EMAIL field name: AuthMethod HTTPS field name: AuthMethod LEEF field name: AuthMethod |
config_version.value
(CONFIG VERSION)
|
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order CEF field name: PanOSConfigVersion EMAIL field name: ConfigVersion HTTPS field name: ConfigVersion LEEF field name: ConfigVersion |
connect_method
(CONNECTION METHOD)
|
Identifies how the GlobalProtect app connected to the the Gateway. For example,
on-demand or user-logon .
Syslog field name: Syslog Field Order CEF field name: PanOSConnectionMethod EMAIL field name: ConnectionMethod HTTPS field name: ConnectionMethod LEEF field name: ConnectionMethod |
connection_error.id
(CONNECTION ERROR ID)
|
Enumeration integer assigned to the connection_error field value.
Syslog field name: Syslog Field Order CEF field name: PanOSConnectionErrorID EMAIL field name: ConnectionErrorID HTTPS field name: ConnectionErrorID LEEF field name: ConnectionErrorID |
connection_error.value
(CONNECTION ERROR)
|
Error information for unsuccessful connection.
Syslog field name: Syslog Field Order CEF field name: PanOSConnectionError EMAIL field name: ConnectionError HTTPS field name: ConnectionError LEEF field name: ConnectionError |
count_of_repeats
(COUNT OF REPEATS)
|
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order CEF field name: PanOSCountOfRepeats EMAIL field name: CountOfRepeats HTTPS field name: CountOfRepeats LEEF field name: CountOfRepeats |
customer_id
(TENANT ID)
|
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSTenantID EMAIL field name: TenantID HTTPS field name: TenantID LEEF field name: TenantID |
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel1 EMAIL field name: DGHierarchyLevel1 HTTPS field name: DGHierarchyLevel1 LEEF field name: DGHierarchyLevel1 |
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel2 EMAIL field name: DGHierarchyLevel2 HTTPS field name: DGHierarchyLevel2 LEEF field name: DGHierarchyLevel2 |
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel3 EMAIL field name: DGHierarchyLevel3 HTTPS field name: DGHierarchyLevel3 LEEF field name: DGHierarchyLevel3 |
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
|
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order CEF field name: PanOSDGHierarchyLevel4 EMAIL field name: DGHierarchyLevel4 HTTPS field name: DGHierarchyLevel4 LEEF field name: DGHierarchyLevel4 |
endpoint_device_name
(ENDPOINT DEVICE NAME)
|
Name of the device that the user used for the connection.
Syslog field name: Syslog Field Order CEF field name: shost EMAIL field name: EndpointDeviceName HTTPS field name: EndpointDeviceName LEEF field name: EndpointDeviceName |
endpoint_gp_version
(GLOBALPROTECT CLIENT VERSION)
|
GlobalProtect client version number.
Syslog field name: Syslog Field Order CEF field name: PanOSGlobalProtectClientVersion EMAIL field name: GlobalProtectClientVersion HTTPS field name: GlobalProtectClientVersion LEEF field name: GlobalProtectClientVersion |
endpoint_os_type
(ENDPOINT OS TYPE)
|
OS type of the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order CEF field name: PanOSEndpointOSType EMAIL field name: EndpointOSType HTTPS field name: EndpointOSType LEEF field name: EndpointOSType |
endpoint_os_version
(ENDPOINT OS VERSION)
|
OS version of the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order CEF field name: PanOSEndpointOSVersion EMAIL field name: EndpointOSVersion HTTPS field name: EndpointOSVersion LEEF field name: EndpointOSVersion |
endpoint_serial_number
(ENDPOINT SN)
|
ID that uniquely identifies the endpoint on which the GlobalProtect client is deployed.
Syslog field name: Syslog Field Order CEF field name: PanOSEndpointSN EMAIL field name: EndpointSN HTTPS field name: EndpointSN LEEF field name: EndpointSN |
event_id.value
(EVENT ID VALUE)
|
The name of the event.
Syslog field name: Syslog Field Order CEF field name: Name EMAIL field name: EventIDValue HTTPS field name: EventIDValue LEEF field name: EventID |
gateway
(GATEWAY)
|
Selected Gateway for the connection.
Syslog field name: Syslog Field Order CEF field name: PanOSGateway EMAIL field name: Gateway HTTPS field name: Gateway LEEF field name: Gateway |
gateway_priority.value
(GATEWAY PRIORITY)
|
Priority of gateway, retrieved from portal configuration.
Syslog field name: Syslog Field Order CEF field name: PanOSGatewayPriority EMAIL field name: GatewayPriority HTTPS field name: GatewayPriority LEEF field name: GatewayPriority |
gateway_selection_type
(GATEWAY SELECTION TYPE)
|
Gateway Selection Method i.e automatic, preferred or manual.
Syslog field name: Syslog Field Order CEF field name: PanOSGatewaySelectionType EMAIL field name: GatewaySelectionType HTTPS field name: GatewaySelectionType LEEF field name: GatewaySelectionType |
gpg_location
(GLOBALPROTECT GATEWAY LOCATION)
|
Location of the Global Protect Gateway.
Syslog field name: Syslog Field Order CEF field name: PanOSGlobalProtectGatewayLocation EMAIL field name: GlobalProtectGatewayLocation HTTPS field name: GlobalProtectGatewayLocation LEEF field name: GlobalProtectGatewayLocation |
host_id
(HOST ID)
|
Unique identifier GlobalProtect has assigned to the host.
Syslog field name: Syslog Field Order CEF field name: PanOSHostID EMAIL field name: HostID HTTPS field name: HostID LEEF field name: HostID |
is_dup_log
(IS DUPLICATE LOG)
|
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog EMAIL field name: IsDuplicateLog HTTPS field name: IsDuplicateLog LEEF field name: IsDuplicateLog |
is_exported
(LOG EXPORTED)
|
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported EMAIL field name: LogExported HTTPS field name: LogExported LEEF field name: LogExported |
is_forwarded
(LOG FORWARDED)
|
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded EMAIL field name: LogForwarded HTTPS field name: LogForwarded LEEF field name: LogForwarded |
is_prisma_branch
(IS PRISMA NETWORKS)
|
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetworks EMAIL field name: IsPrismaNetworks HTTPS field name: IsPrismaNetworks LEEF field name: IsPrismaNetworks |
is_prisma_mobile
(IS PRISMA USERS)
|
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers EMAIL field name: IsPrismaUsers HTTPS field name: IsPrismaUsers LEEF field name: IsPrismaUsers |
log_source
(LOG SOURCE)
|
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: sourceServiceName EMAIL field name: LogSource HTTPS field name: LogSource LEEF field name: LogSource |
log_source_group_id
(LOG SOURCE GROUP ID)
| The ID of the Cloud NGFW resource. CEF field name: LogSourceGroupID EMAIL field name: LogSourceGroupID HTTPS field name: LogSourceGroupID LEEF field name: LogSourceGroupID |
log_source_id
(DEVICE SN)
|
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
If the log is generated by Prisma Access, the serial number is not displayed. Syslog field name: Syslog Field Order CEF field name: deviceExternalID EMAIL field name: DeviceSN HTTPS field name: DeviceSN LEEF field name: DeviceSN |
log_source_name
(DEVICE NAME)
|
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order CEF field name: dvchost EMAIL field name: DeviceName HTTPS field name: DeviceName LEEF field name: DeviceName |
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
|
Time Zone offset from GMT of the source of the log.
CEF field name: PanOSLogSourceTimeZoneOffset EMAIL field name: LogSourceTimeZoneOffset HTTPS field name: LogSourceTimeZoneOffset LEEF field name: LogSourceTimeZoneOffset |
log_time
(TIME RECEIVED)
|
Time the log was received in Cortex Data Lake. This string
contains a timestamp value that is the number of microseconds
since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: rt EMAIL field name: TimeReceived HTTPS field name: TimeReceived LEEF field name: TimeReceived |
log_type.value
(LOG TYPE)
|
Identifies the log type.
Syslog field name: Syslog Field Order CEF field name: Device Event Class ID EMAIL field name: LogType HTTPS field name: LogType LEEF field name: cat |
login_duration
(LOGIN DURATION)
|
Duration for which the connected user was logged on.
Syslog field name: Syslog Field Order CEF field name: PanOSLoginDuration EMAIL field name: LoginDuration HTTPS field name: LoginDuration LEEF field name: LoginDuration |
opaque
(DESCRIPTION)
|
Additional information regarding the event.
Syslog field name: Syslog Field Order CEF field name: PanOSDescription EMAIL field name: Description HTTPS field name: Description LEEF field name: Description |
panorama_serial
(PANORAMA SN)
|
Panorama Serial associated with CDL.
CEF field name: PanOSPanoramaSN EMAIL field name: PanoramaSN HTTPS field name: PanoramaSN LEEF field name: PanoramaSN |
portal
(PORTAL)
|
Global Protect Portal or Gateway that the user connected to.
Syslog field name: Syslog Field Order CEF field name: PanOSPortal EMAIL field name: Portal HTTPS field name: Portal LEEF field name: Portal |
private_ip.value
(PRIVATE IP (V4))
|
Private IP address (v4) of the user that connected.
Syslog field name: Syslog Field Order CEF field name: PanOSPrivateIPv4 EMAIL field name: PrivateIPv4 HTTPS field name: PrivateIPv4 LEEF field name: PrivateIPv4 |
private_ipv6.value
(PRIVATE IP (V6))
|
Private IP address (v6) of the user that connected.
Syslog field name: Syslog Field Order CEF field name: PanOSPrivateIPv6 EMAIL field name: PrivateIPv6 HTTPS field name: PrivateIPv6 LEEF field name: PrivateIPv6 |
public_ip.value
(PUBLIC IP (V4))
|
Public IP address (v4) of the user that connected.
Syslog field name: Syslog Field Order CEF field name: src EMAIL field name: PublicIPv4 HTTPS field name: PublicIPv4 LEEF field name: PublicIPv4 |
public_ipv6.value
(PUBLIC IP (V6))
|
Public IP address (v6) of the user that connected.
Syslog field name: Syslog Field Order CEF field name: c6a2 EMAIL field name: PublicIPv6 HTTPS field name: PublicIPv6 LEEF field name: PublicIPv6 |
quarantine_reason
(QUARANTINE REASON)
|
Quarantine reason.
Syslog field name: Syslog Field Order CEF field name: PanOSQuarantineReason EMAIL field name: QuarantineReason HTTPS field name: QuarantineReason LEEF field name: QuarantineReason |
sequence_no
(SEQUENCE NO)
|
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order CEF field name: PanOSSequenceNo EMAIL field name: SequenceNo HTTPS field name: SequenceNo LEEF field name: SequenceNo |
source_region
(SOURCE REGION)
|
Region of the Gateway (or User) that connected.
Syslog field name: Syslog Field Order CEF field name: PanOSSourceRegion EMAIL field name: SourceRegion HTTPS field name: SourceRegion LEEF field name: SourceRegion |
source_user
(SOURCE USER NAME)
|
The username that connected.
Syslog field name: Syslog Field Order CEF field name: suser EMAIL field name: SourceUserName HTTPS field name: SourceUserName LEEF field name: usrName |
source_user_info.domain
(SOURCE USER DOMAIN)
|
Domain to which the Source User belongs.
EMAIL field name: SourceUserDomain HTTPS field name: SourceUserDomain LEEF field name: SourceUserDomain |
source_user_info.name
(SOURCE USER INFO)
|
The Source User. That is, the username that initiated the network traffic.
EMAIL field name: SourceUserName HTTPS field name: SourceUserName LEEF field name: SourceUserName |
source_user_info.uuid
(SOURCE USER UUID)
|
Unique identifier assigned to the Source User.
EMAIL field name: SourceUserUUID HTTPS field name: SourceUserUUID LEEF field name: SourceUserUUID |
ssl_response_time
(SSL RESPONSE TIME)
|
SSL Response Time in milliseconds.
Syslog field name: Syslog Field Order CEF field name: PanOSSSLResponseTime EMAIL field name: SSLResponseTime HTTPS field name: SSLResponseTime LEEF field name: SSLResponseTime |
stage
(STAGE)
|
Name of the stage in the GlobalProtect connection workflow.
Syslog field name: Syslog Field Order CEF field name: PanOSStage EMAIL field name: Stage HTTPS field name: Stage LEEF field name: Stage |
status.value
(EVENT STATUS)
|
The status (success or failure) of the event.
Syslog field name: Syslog Field Order CEF field name: outcome EMAIL field name: EventStatus HTTPS field name: EventStatus LEEF field name: EventStatus |
sub_type.value
(LOG SUBTYPE)
|
Identifies the log subtype.
Syslog field name: Syslog Field Order CEF field name: PanOSLogSubtype EMAIL field name: LogSubtype HTTPS field name: LogSubtype LEEF field name: SubType |
time_generated
(TIME GENERATED)
|
Time when the log was generated on the firewall's data plane. This string contains a
timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order CEF field name: start EMAIL field name: TimeGenerated HTTPS field name: TimeGenerated LEEF field name: devTime |
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
|
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order CEF field name: PanOSTimeGeneratedHighResolution EMAIL field name: TimeGeneratedHighResolution HTTPS field name: TimeGeneratedHighResolution LEEF field name: TimeGeneratedHighResolution |
tunnel
(TUNNEL TYPE)
|
Tunnel Type i.e. SSL or VPN.
Syslog field name: Syslog Field Order CEF field name: PanOSTunnelType EMAIL field name: TunnelType HTTPS field name: TunnelType LEEF field name: TunnelType |
vendor_name
(VENDOR NAME)
|
Identifies the vendor that produced the data.
CEF field name: Device Vendor EMAIL field name: VendorName HTTPS field name: VendorName LEEF field name: Vendor |
vsys
(VIRTUAL SYSTEM)
|
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystem EMAIL field name: VirtualSystem HTTPS field name: VirtualSystem LEEF field name: VirtualSystem |
vsys_id
(VIRTUAL SYSTEM ID)
|
A unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order CEF field name: PanOSVirtualSystemID EMAIL field name: VirtualSystemID HTTPS field name: VirtualSystemID LEEF field name: VirtualSystemID |
vsys_name
(VIRTUAL SYSTEM NAME)
|
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order CEF field name: cs3 EMAIL field name: VirtualSystemName HTTPS field name: VirtualSystemName LEEF field name: VirtualSystemName |