1. Home
    2. GlobalProtect
    3. GlobalProtect Administrator's Guide
    4. GlobalProtect Architecture
    5. GlobalProtect Reference Architecture Features
    6. Logging for GlobalProtect in PAN-OS
    7. Event Descriptions for the GlobalProtect Logs in PAN-OS

    Event Descriptions for the GlobalProtect Logs in PAN-OS

    Event descriptions for the GlobalProtect portal, gateway, and Clientless VPN logs in PAN-OS.
    Use the following descriptions to help you to identify GlobalProtect portal, gateway, or Clientless VPN events when viewing GlobalProtect logs in PAN-OS at
    Monitor
    Logs
    GlobalProtect
    :

    Portal Event Details

    The following table describes log events related to the GlobalProtect portal.
    Event
    Description
    portal-auth
    Indicates a GlobalProtect portal authentication stage. See Status for results.
    portal-gen-cookie
    Indicates a GlobalProtect portal authentication override cookie generation event. See Status for results.
    portal-getconfig
    Indicates a GlobalProtect portal event for generating GlobalProtect client configuration, such as dynamic app configuration or gateway list.
    portal-prelogin
    Indicates a GlobalProtect portal pre-login event. As a part of the event, the GlobalProtect client does the following:
    • Certificate: validates whether a client certificate is valid.
    • SAML: generates a SAML request and sends it back to a GlobalProtect client.
    • Kerberos: triggers a Kerberos authentication process.

    Gateway Event Details

    The following table describes log events related to the GlobalProtect gateway.
    Event
    Description
    gateway-agent-msg
    Indicates a GlobalProtect gateway event for a message received from the GlobalProtect client, such as GlobalProtect client disable reason message.
    gateway-auth
    Indicates GlobalProtect gateway authentication stage. See Status for results.
    gateway-config-release
    Indicates a GlobalProtect gateway event for configuration release, such as remove ip-user mapping or remove tunnel.
    gateway-connected
    Indicates a GlobalProtect gateway event for a GlobalProtect client successful connection for tunnel or non-tunnel mode.
    gateway-framed-ip
    Indicates a GlobalProtect gateway event where the gateway retrieved a framed IPv4 address from RADIUS for a GlobalProtect client.
    gateway-getconfig
    Indicates a GlobalProtect gateway event for generating GlobalProtect client configuration, such as split-tunnel, virtual IP, or tunnel information.
    gateway-hip-check
    Indicates a GlobalProtect gateway event to confirm whether a GlobalProtect HIP report was updated or not, and to refresh ip-user mapping. Refer to the description for latency reported information. Examples include items such as HIP report is not needed or HIP report is needed.
    gateway-hip-report
    Indicates a GlobalProtect gateway event to confirm whether a HIP report was received from a GlobalProtect client, to update ip-user mapping, and to enforce HIP policy.
    gateway-inheritance
    Indicates a GlobalProtect gateway event where a GlobalProtect gateway is using a dynamic IP address and the IP address changed.
    gateway-logout
    Indicates a GlobalProtect gateway event for a GlobalProtect client logout.
    gateway-prelogin
    Indicates a GlobalProtect gateway event. As a part of the event, the GlobalProtect client does the following:
    • Certificate: validates whether a client certificate is valid.
    • SAML: generates a SAML request and sends it back to a GlobalProtect client.
    • Kerberos: triggers a Kerberos authentication process.
    gateway-register
    Indicates GlobalProtect client user information, such as username, domain-name, computer name, hostid, serial number, public ip, or login time is added on the gateway.
    gateway-setup-ipsec
    Indicates a GlobalProtect gateway event for setting up an IPSec VPN tunnel.
    gateway-setup-ssl
    Indicates a GlobalProtect gateway event for setting up a SSL VPN tunnel.
    gateway-switch-to-ssl
    Indicates a GlobalProtect gateway tunnel switch from IPSec to SSL considering IPSec tunnel was not successful.
    gateway-tunnel-latency
    Indicates GlobalProtect gateway latency provided by a GlobalProtect client. Refer to description for latency reported information, such as Pre-tunnel latency: 10ms or Post-tunnel latency: 1ms
    quarantine-add
    Indicates a GlobalProtect gateway event for a GlobalProtect client, confirming that the client is added to the quarantine list.
    quarantine-delete
    Indicates a GlobalProtect gateway event for a GlobalProtect client, confirming that the client is removed from the quarantine list.

    Clientless VPN Event Details

    The following table describes log events related to the GlobalProtect Clientless VPN.
    Event
    Description
    clientlessvpn-login
    Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN login.
    clientlessvpn-logout
    Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN logout.
    clientlessvpn-prelogin
    Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN. As a part of the event, the following takes place:
    • Certificate: validate whether a client certificate is valid.
    • SAML: generate a SAML request and send it back to a GlobalProtect client.
    • Kerberos: trigger a Kerberos authentication process.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo