Event Descriptions for the GlobalProtect Logs in PAN-OS

Event descriptions for the GlobalProtect portal, gateway, and Clientless VPN logs in PAN-OS.
Use the following descriptions to help you to identify GlobalProtect portal, gateway, or Clientless VPN events when viewing GlobalProtect logs in PAN-OS at
Monitor
Logs
GlobalProtect
:

Portal Event Details

The following table describes log events related to the GlobalProtect portal.
Event
Description
portal-auth
Indicates a GlobalProtect portal authentication stage. See Status for results.
portal-gen-cookie
Indicates a GlobalProtect portal authentication override cookie generation event. See Status for results.
portal-getconfig
Indicates a GlobalProtect portal event for generating GlobalProtect client configuration, such as dynamic app configuration or gateway list.
portal-prelogin
Indicates a GlobalProtect portal pre-login event. As a part of the event, the GlobalProtect client does the following:
  • Certificate: validates whether a client certificate is valid.
  • SAML: generates a SAML request and sends it back to a GlobalProtect client.
  • Kerberos: triggers a Kerberos authentication process.

Gateway Event Details

The following table describes log events related to the GlobalProtect gateway.
Event
Description
gateway-agent-msg
Indicates a GlobalProtect gateway event for a message received from the GlobalProtect client, such as GlobalProtect client disable reason message.
gateway-auth
Indicates GlobalProtect gateway authentication stage. See Status for results.
gateway-config-release
Indicates a GlobalProtect gateway event for configuration release, such as remove ip-user mapping or remove tunnel.
gateway-connected
Indicates a GlobalProtect gateway event for a GlobalProtect client successful connection for tunnel or non-tunnel mode.
gateway-framed-ip
Indicates a GlobalProtect gateway event where the gateway retrieved a framed IPv4 address from RADIUS for a GlobalProtect client.
gateway-getconfig
Indicates a GlobalProtect gateway event for generating GlobalProtect client configuration, such as split-tunnel, virtual IP, or tunnel information.
gateway-hip-check
Indicates a GlobalProtect gateway event to confirm whether a GlobalProtect HIP report was updated or not, and to refresh ip-user mapping. Refer to the description for latency reported information. Examples include items such as HIP report is not needed or HIP report is needed.
gateway-hip-report
Indicates a GlobalProtect gateway event to confirm whether a HIP report was received from a GlobalProtect client, to update ip-user mapping, and to enforce HIP policy.
gateway-inheritance
Indicates a GlobalProtect gateway event where a GlobalProtect gateway is using a dynamic IP address and the IP address changed.
gateway-logout
Indicates a GlobalProtect gateway event for a GlobalProtect client logout.
gateway-prelogin
Indicates a GlobalProtect gateway event. As a part of the event, the GlobalProtect client does the following:
  • Certificate: validates whether a client certificate is valid.
  • SAML: generates a SAML request and sends it back to a GlobalProtect client.
  • Kerberos: triggers a Kerberos authentication process.
gateway-register
Indicates GlobalProtect client user information, such as username, domain-name, computer name, hostid, serial number, public ip, or login time is added on the gateway.
gateway-setup-ipsec
Indicates a GlobalProtect gateway event for setting up an IPSec VPN tunnel.
gateway-setup-ssl
Indicates a GlobalProtect gateway event for setting up a SSL VPN tunnel.
gateway-switch-to-ssl
Indicates a GlobalProtect gateway tunnel switch from IPSec to SSL considering IPSec tunnel was not successful.
gateway-tunnel-latency
Indicates GlobalProtect gateway latency provided by a GlobalProtect client. Refer to description for latency reported information, such as Pre-tunnel latency: 10ms or Post-tunnel latency: 1ms
quarantine-add
Indicates a GlobalProtect gateway event for a GlobalProtect client, confirming that the client is added to the quarantine list.
quarantine-delete
Indicates a GlobalProtect gateway event for a GlobalProtect client, confirming that the client is removed from the quarantine list.

Clientless VPN Event Details

The following table describes log events related to the GlobalProtect Clientless VPN.
Event
Description
clientlessvpn-login
Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN login.
clientlessvpn-logout
Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN logout.
clientlessvpn-prelogin
Indicates a GlobalProtect portal event for GlobalProtect Clientless VPN. As a part of the event, the following takes place:
  • Certificate: validate whether a client certificate is valid.
  • SAML: generate a SAML request and send it back to a GlobalProtect client.
  • Kerberos: trigger a Kerberos authentication process.

Recommended For You