GlobalProtect Log Fields
View GlobalProtect log field information using syslog.
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Event ID, Stage, Authentication Method, Tunnel Type, Source User, Source Region, Machine Name, Public IP, Public IPv6, Private IP, Private IPv6, Host ID, Serial Number, Client Version, Client OS, Client OS Version, Repeat Count, Reason, Error, Description, Status, Location, Login Duration, Connect Method, Error Code, Portal, Sequence Number, Action Flags, High Res Timestamp, Selection Type, Response Time, Priority, Attempted Gateways, Gateway
Receive Time (receive_time)
The time that the log was received at the management plane.
Serial # (serial)
The serial number of the firewall that generated the log.
Specifies the type of log; value is GLOBALPROTECT.
Threat/Content Type (subtype)
Subtype of threat log. Values include the following:
Generate Time (time_generated)
The time that the log was generated on the dataplane.
Virtual System (vsys)
The Virtual System associated with the session.
Event ID (eventid)
A string showing the name of the event.
A string showing the stage of the connection (for example,
Authentication Method (auth_method)
A string showing the authentication type, such as
Tunnel Type (tunnel_type)
The type of tunnel (either SSLVPN or IPSec).
Source User (srcuser)
The username of the user who initiated the session.
Source Region (srcregion)
The region for the user who initiated the session.
Machine Name (machinename)
The name of the user’s machine.
Public IP (public_ip)
The public IP address for the user who initiated the session.
Public IPv6 (public_ipv6)
The public IPv6 address for the user who initiated the session.
Private IP (private_ip)
The private IP address for the user who initiated the session.
Private IPv6 (private_ipv6)
The private IPv6 address for the user who initiated the session.
Host ID (hostid)
The unique ID that GlobalProtect assigns to identify the host.
Serial Number (serialnumber)
The serial number of the user’s machine or device.
Client Version (client_ver)
The client’s GlobalProtect app version.
Client OS (client_os)
The client device’s OS type (for example, Windows or Linux).
Client OS Version (client_os_ver)
The client device’s OS version.
Repeat Count (repeatcnt)
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.
A string that shows the reason for the quarantine.
A string showing that error that has occurred in any event.
Additional information for any event that has occurred.
The status (success or failure) of the event.
A string showing the administrator-defined location of the GlobalProtect portal or gateway.
Login Duration (login_duration)
The length of time, in seconds, the user is connected to the GlobalProtect gateway from logging in to logging out.
Connect Method (connect_method)
A string showing the how the GlobalProtect app connects to Gateway, (for example,
Error Code (error_code)
An integer associated with any errors that occurred.
The name of the GlobalProtect portal or gateway.
Sequence Number (seqno)
A 64-bit log entry identifier incremented sequentially; each log type has a unique number space.
Action Flags (actionflags)
A bit field indicating if the log was forwarded to Panorama.
Gateway Selection Method (selection_type)
The connection method that is selected to connect to the gateway.
SSL Response Time (response_time)
The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.
Gateway Priority (priority)
The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
Attempted Gateways (attempted_gateways)
The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority (see Gateway Priority in a Multiple Gateway Configuration. Each field entry is separated by commas such as
g82-gateway,12,3. Each gateway entry is separated by semicolons such as
Gateway Name (gateway)
The name of the gateway that is specified on the portal configuration.
Recommended For You
Recommended videos not found.