GlobalProtect Log Fields

View GlobalProtect log field information using syslog.
Format: FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Virtual System, Event ID, Stage, Authentication Method, Tunnel Type, Source User, Source Region, Machine Name, Public IP, Public IPv6, Private IP, Private IPv6, Host ID, Serial Number, Client Version, Client OS, Client OS Version, Repeat Count, Reason, Error, Description, Status, Location, Login Duration, Connect Method, Error Code, Portal, Sequence Number, Action Flags, High Res Timestamp, Selection Type, Response Time, Priority, Attempted Gateways, Gateway
Field Name
Description
Receive Time (receive_time)
The time that the log was received at the management plane.
Serial # (serial)
The serial number of the firewall that generated the log.
Type (type)
Specifies the type of log; value is GLOBALPROTECT.
Threat/Content Type (subtype)
Subtype of threat log. Values include the following:
  • data—Data pattern matching a Data Filtering profile.
  • file—File type matching a File Blocking profile.
  • flood—Flood detected via a Zone Protection profile.
  • packet—Packet-based attack protection triggered by a Zone Protection profile.
  • scan—Scan detected via a Zone Protection profile.
  • spyware —Spyware detected via an Anti-Spyware profile.
  • url—URL filtering log.
  • virus—Virus detected via an Antivirus profile.
  • vulnerability —Vulnerability exploit detected via a Vulnerability Protection profile.
  • wildfire —A WildFire verdict generated when the firewall submits a file to WildFire per a WildFire Analysis profile and a verdict (malicious, phishing, grayware, or benign, depending on what you are logging) is logged in the WildFire Submissions log.
  • wildfire-virus—Virus detected via an Antivirus profile.
Generate Time (time_generated)
The time that the log was generated on the dataplane.
Virtual System (vsys)
The Virtual System associated with the session.
Event ID (eventid)
A string showing the name of the event.
Stage (stage)
A string showing the stage of the connection (for example,
before-login
,
login
, or
tunnel
).
Authentication Method (auth_method)
A string showing the authentication type, such as
LDAP
,
RADIUS
, or
SAML
.
Tunnel Type (tunnel_type)
The type of tunnel (either SSLVPN or IPSec).
Source User (srcuser)
The username of the user who initiated the session.
Source Region (srcregion)
The region for the user who initiated the session.
Machine Name (machinename)
The name of the user’s machine.
Public IP (public_ip)
The public IP address for the user who initiated the session.
Public IPv6 (public_ipv6)
The public IPv6 address for the user who initiated the session.
Private IP (private_ip)
The private IP address for the user who initiated the session.
Private IPv6 (private_ipv6)
The private IPv6 address for the user who initiated the session.
Host ID (hostid)
The unique ID that GlobalProtect assigns to identify the host.
Serial Number (serialnumber)
The serial number of the user’s machine or device.
Client Version (client_ver)
The client’s GlobalProtect app version.
Client OS (client_os)
The client device’s OS type (for example, Windows or Linux).
Client OS Version (client_os_ver)
The client device’s OS version.
Repeat Count (repeatcnt)
The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.
Reason (reason)
A string that shows the reason for the quarantine.
Error (error)
A string showing that error that has occurred in any event.
Description (opaque)
Additional information for any event that has occurred.
Status (status)
The status (success or failure) of the event.
Location (location)
A string showing the administrator-defined location of the GlobalProtect portal or gateway.
Login Duration (login_duration)
The length of time, in seconds, the user is connected to the GlobalProtect gateway from logging in to logging out.
Connect Method (connect_method)
A string showing the how the GlobalProtect app connects to Gateway, (for example,
on-demand
or
user-logon
.
Error Code (error_code)
An integer associated with any errors that occurred.
Portal (portal)
The name of the GlobalProtect portal or gateway.
Sequence Number (seqno)
A 64-bit log entry identifier incremented sequentially; each log type has a unique number space.
Action Flags (actionflags)
A bit field indicating if the log was forwarded to Panorama.
Gateway Selection Method (selection_type)
The connection method that is selected to connect to the gateway.
  • manual—The gateway to which you want the GlobalProtect app to manually connect.
  • preferred—The preferred gateway to which you want the GlobalProtect app to connect.
  • auto—Automatically connect to the
    Best Available
    gateway based on the priority assigned to the gateway and the response time.
SSL Response Time (response_time)
The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup.
Gateway Priority (priority)
The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect.
Attempted Gateways (attempted_gateways)
The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority (see Gateway Priority in a Multiple Gateway Configuration. Each field entry is separated by commas such as
g82-gateway,12,3
. Each gateway entry is separated by semicolons such as
g83-gateway,10,2;g84-gateway,-1,1
.
Gateway Name (gateway)
The name of the gateway that is specified on the portal configuration.

Recommended For You