GlobalProtect App Log Collection for Troubleshooting

Software Support
: Starting with GlobalProtect™ app 5.2.5 with Content Release version 8350-14191 or later.
OS Support
: Windows, macOS, Android, iOS, and Linux
With Prisma Access and next-generation firewall deployments, you can now quickly resolve mobile user connection, performance, and access issues. The GlobalProtect app can now be configured to send troubleshooting and diagnostic logs from the end user’s endpoint to Cortex Data Lake for further analysis. By using this feature, when the end user reports an issue from the GlobalProtect app (upon user request), the app can generate and send an easy to read, comprehensive report to help you to quickly identify the root cause of the remote end user issue. Additionally, the GlobalProtect app can run end-to-end diagnostic tests to probe the state and performance of the network connection and the performance of specific web applications from the remote end user’s endpoint. This results in faster resolution of the remote end user issues, enables increased productivity, and optimizes the user experience for the remote end user. End users can now report an issue from their endpoint directly to Cortex Data Lake to which the administrator can access without manually collecting and sending the GlobalProtect app logs, for example, through email or storing them on a cloud drive. If end users consent to run diagnostic tests and to include diagnostic logs on the GlobalProtect app, the troubleshooting log bundle and diagnostic logs are sent to Cortex Data Lake from their endpoint so you can review them easily using the Explore app on the hub. If end users do not consent to run diagnostic tests and to include diagnostic logs and troubleshooting logs on the GlobalProtect app, only troubleshooting reports without the troubleshooting log bundle are sent to Cortex Data Lake from their endpoint for further analysis. For example, if you want to run diagnostic tests for HTTPS-based destination URLs that can contain IP addresses or fully qualified domain names (for example, https://10.10.10.10/resource.html, https://webserver/file.pdf, or https://google.com) to determine whether there is an issue with latency or network performance, you can configure these HTTPS-based destination URLs that are critical to your end user’s productivity by enabling the GlobalProtect app log collection for troubleshooting on the portal. By default, the GlobalProtect app log collection for troubleshooting is disabled, and as a result, end users cannot send troubleshooting and diagnostic logs to Cortex Data Lake from their endpoint. They would have to manually collect and send the GlobalProtect app logs to the administrator for troubleshooting and debugging purposes.
The following diagram illustrates the workflow for sending the GlobalProtect app troubleshooting reports and diagnostic logs from the end user’s endpoint to Cortex Data Lake:
Before you begin to enable the GlobalProtect app log collection for troubleshooting and to view the GlobalProtect app troubleshooting and diagnostic log records on the Explore app, follow these recommendations to communicate:
  • Purchase a Cortex Data Lake license for the volume of logs in your GlobalProtect deployment and log in to the Explore app on the hub.
  • Use the Cortex Data Lake logging infrastructure to manage the delivery mechanism of the GlobalProtect app troubleshooting and diagnostic logs.
  • Use the Cortex Sizing Calculator to calculate the amount of storage you need in Cortex Data Lake.
  • Obtain the Panorama and Cloud Services plugin and upgrade to cloud services plugin version 1.8, cloud services plugin 2.0 Preferred, or cloud services plugin 2.0 Innovation.
  • Retrieve the Cortex Data Lake certificate.
  • Purchase and install a GlobalProtect subscription license on each gateway. For more information on licensing, see About GlobalProtect Licenses.
Complete the following steps for enabling the GlobalProtect app log collection for troubleshooting:

Recommended For You