In PAN-OS, view GlobalProtect event logs in one place.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (managed by Panorama)
|
- GlobalProtect Subscription License
|
In PAN-OS, GlobalProtect logs have a dedicated
page that enables you to view GlobalProtect events in one place.
The dedicated GlobalProtect log category eliminates the need for
using complex log queries to locate GlobalProtect logs. You can
also sort, filter, and query the GlobalProtect logs.
The
GlobalProtect log page displays information that includes the authentication
method. The following screenshot shows an example of logs in the
page;
note the
Auth Method of
SAML.
However,
GlobalProtect authentication event logs remain in
.
The
GP
source zone in traffic logs only reflects post-tunnel, established
VPN connections using the client's assigned private (tunnel) IP
address. It does not capture pre-authentication or pre-tunnel
connection attempts. To identify a client's public IP address
before the VPN tunnel is established, filter traffic logs using
the portal or gateway IP as the destination rather than the GP
zone as the source, as described in
identifying a client's
public IP before tunnel establishment.
To audit all GlobalProtect
app disable events, filter system logs using
( eventid eq gateway-agent-msg ). To identify
ticket-based disables specifically, look for
method:with-ticket in the Comment
field of the results.
