Configure Custom Reports for GlobalProtect in PAN-OS

You can configure custom reports for GlobalProtect in PAN-OS.
You can configure custom reports based on GlobalProtect logs that the firewall generates immediately (on demand) or on schedule (each night).
  1. Select
    Monitor
    Manage Custom Reports
    .
  2. Click
    Add
    and then enter a
    Name
    for the report.
  3. To base a report on an predefined template, click
    Load Template
    and choose the template. You can then edit the template and save it as a custom report.
  4. If you choose to build the report from scratch, select the database you want to use for the report as
    Device GlobalProtect Log
    .
  5. Select the
    Scheduled
    check box to run the report each night. The report is then available for viewing in the
    Reports
    column on the side.
  6. Define the filtering criteria. Select the
    Time Frame
    , the
    Sort By
    order,
    Group By
    preference, and select the columns that must display in the report.
  7. (
    Optional
    ) Select the
    Query Builder
    attributes if you want to further refine the selection criteria. To build a report query, specify the following and click
    Add
    . Repeat as needed to construct the full query.
    • Connector
      —Choose the connector (and/or) to precede the expression you are adding.
    • Negate
      —Select the check box to interpret the query as a negation. If, for example, you choose to match entries in the last 24 hours and/or are originating from the untrust zone, the negate option causes a match on entries that are not in the past 24 hours and/or are not from the untrust zone.
    • Attribute
      —Choose a data element. The available options depend on the choice of database.
    • Operator
      —Choose the criterion to determine whether the attribute applies (such as =). The available options depend on the choice of database.
    • Value
      —Specify the attribute value to match.
    For example, to build a report for GlobalProtect portal users with unsuccessful login attempts, use a query similar to the following:
    ((eventid eq 'portal-prelogin') or (eventid eq 'portal-auth') or (eventid eq 'portal-gen-cookie') or (eventid eq 'portal-getconfig')) and (status eq 'failure')
  8. To test the report settings, select
    Run Now
    . Modify the settings as required to change the information that is displayed in the report.
  9. Click
    OK
    to save the custom report.

Recommended For You