>
    Strata Copilot
    GlobalProtect CEF Fields
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Log Reference
    4. Network Logs
    5. GlobalProtect
    6. GlobalProtect CEF Fields
    Download PDF
    Strata Logging Service

    GlobalProtect CEF Fields

    Table of Contents

    GlobalProtect CEF Fields

    Example GlobalProtect log in CEF: 
    Mar 1 20:35:56 xxx.xx.x.xx 1544 <14>1 2021-03-01T20:35:56.565Z stream-logfwd20-587718190-02280003-lvod-harness-mjdh logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|ProfileToken=xxxxx dtz=UTC rt=Mar 01 2021 20:35:54 PanOSDeviceSN=xxxxxxxxxxxxx PanOSConfigVersion= start=Mar 01 2021 20:35:54 PanOSVirtualSystem=vsys1 PanOSEventIDValue=satellite-gateway-update-route PanOSStage=connected PanOSAuthMethod=RADIUS PanOSTunnelType=ipsec PanOSSourceUserName=xxxxx\\\\xxxxx PanOSSourceRegion=ET PanOSEndpointDeviceName=machine_name2 PanOSPublicIPv4=xxx.xx.x.xx PanOSPublicIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSPrivateIPv4=xxx.xx.x.xx PanOSPrivateIPv6=xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx PanOSHostID=xxxxxxxxxxxxxxe667947f-d92e-4815-9222-89438203bc2b PanOSEndpointSN=serialno_list-1 PanOSGlobalProtectClientVersion=3.0.9 PanOSEndpointOSType=Intel Mac OS PanOSEndpointOSVersion=9.3.5 PanOSCountOfRepeats=16777216 PanOSQuarantineReason=Malicious Traffic PanOSConnectionError=Client cert not present PanOSDescription=opaque_list-1 PanOSEventStatus=failure PanOSGlobalProtectGatewayLocation=San Francisco PanOSLoginDuration=1 PanOSConnectionMethod=connect_method_list-1 PanOSConnectionErrorID=0 PanOSPortal=portal_list-2 PanOSSequenceNo=34401910 PanOSTimeGeneratedHighResolution=Jul 25 2019 23:30:12 PanOSGatewaySelectionType= PanOSSSLResponseTime= PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=20 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PA-VM PanOSVirtualSystemID=1
    The following table identifies the GlobalProtect field names that the Log Forwarding app uses when you forward logs using the CEF log format.
    CEF Name
    Field Details
    PanOSAttemptedGateways
    Query Name: attempted_gateways
    Header Type: Custom
    PanOSAuthMethod
    Query Name: auth_method
    Header Type: Custom
    PanOSConfigVersion
    Query Name: config_version.​value
    Header Type: Custom
    PanOSConnectionMethod
    Query Name: connect_method
    Header Type: Custom
    PanOSConnectionErrorID
    Query Name: connection_error.​id
    Header Type: Custom
    PanOSConnectionError
    Query Name: connection_error.​value
    Header Type: Custom
    PanOSCountOfRepeats
    Query Name: count_of_repeats
    Header Type: Custom
    PanOSTenantID
    Query Name: customer_id
    Header Type: Custom
    PanOSDGHierarchyLevel1
    Query Name: dg_hier_level_1
    Header Type: Custom
    PanOSDGHierarchyLevel2
    Query Name: dg_hier_level_2
    Header Type: Custom
    PanOSDGHierarchyLevel3
    Query Name: dg_hier_level_3
    Header Type: Custom
    PanOSDGHierarchyLevel4
    Query Name: dg_hier_level_4
    Header Type: Custom
    shost
    Query Name: endpoint_device_name
    Header Type: Predefined
    PanOSGlobalProtectClientVersion
    Query Name: endpoint_gp_version
    Header Type: Custom
    PanOSEndpointOSType
    Query Name: endpoint_os_type
    Header Type: Custom
    PanOSEndpointOSVersion
    Query Name: endpoint_os_version
    Header Type: Custom
    PanOSEndpointSN
    Query Name: endpoint_serial_number
    Header Type: Custom
    Name
    Query Name: event_id.​value
    Header Type: Custom
    PanOSGateway
    Query Name: gateway
    Header Type: Custom
    PanOSGatewayPriority
    Query Name: gateway_priority.​value
    Header Type: Custom
    PanOSGatewaySelectionType
    Query Name: gateway_selection_type
    Header Type: Custom
    PanOSGlobalProtectGatewayLocation
    Query Name: gpg_location
    Header Type: Custom
    PanOSHostID
    Query Name: host_id
    Header Type: Custom
    PanOSIsDuplicateLog
    Query Name: is_dup_log
    Header Type: Custom
    PanOSLogExported
    Query Name: is_exported
    Header Type: Custom
    PanOSLogForwarded
    Query Name: is_forwarded
    Header Type: Custom
    PanOSIsPrismaNetworks
    Query Name: is_prisma_branch
    Header Type: Custom
    PanOSIsPrismaUsers
    Query Name: is_prisma_mobile
    Header Type: Custom
    sourceServiceName
    Query Name: log_source
    Header Type: Predefined
    LogSourceGroupID
    Query Name: log_source_group_id
    Header Type: Custom
    deviceExternalID
    Query Name: log_source_id
    Header Type: Predefined
    dvchost
    Query Name: log_source_name
    Header Type: Predefined
    PanOSLogSourceTimeZoneOffset
    Query Name: log_source_tz_offset
    Header Type: Custom
    rt
    Query Name: log_time
    Header Type: Predefined
    Device Event Class ID
    Query Name: log_type.​value
    Header Type: Custom
    PanOSLoginDuration
    Query Name: login_duration
    Header Type: Custom
    PanOSDescription
    Query Name: opaque
    Header Type: Custom
    PanOSPanoramaSN
    Query Name: panorama_serial
    Header Type: Custom
    PlatformType
    Query Name: platform_type
    Header Type: Custom
    PanOSPortal
    Query Name: portal
    Header Type: Custom
    PanOSPrivateIPv4
    Query Name: private_ip.​value
    Header Type: Custom
    PanOSPrivateIPv6
    Query Name: private_ipv6.​value
    Header Type: Custom
    ProjectName
    Query Name: project_name
    Header Type: Custom
    src
    Query Name: public_ip.​value
    Header Type: Predefined
    c6a2
    Query Name: public_ipv6.​value
    Header Type: Predefined
    PanOSQuarantineReason
    Query Name: quarantine_reason
    Header Type: Custom
    PanOSSequenceNo
    Query Name: sequence_no
    Header Type: Custom
    PanOSSourceRegion
    Query Name: source_region
    Header Type: Custom
    suser
    Query Name: source_user
    Header Type: Predefined
    sntdom and dntdom
    Query Name: source_user_info.​domain
    Header Type: Predefined
    suser and duser
    Query Name: source_user_info.​name
    Header Type: Predefined
    suid and duid
    Query Name: source_user_info.​uuid
    Header Type: Predefined
    PanOSSSLResponseTime
    Query Name: ssl_response_time
    Header Type: Custom
    PanOSStage
    Query Name: stage
    Header Type: Custom
    outcome
    Query Name: status.​value
    Header Type: Predefined
    PanOSLogSubtype
    Query Name: sub_type.​value
    Header Type: Custom
    start
    Query Name: time_generated
    Header Type: Predefined
    PanOSTimeGeneratedHighResolution
    Query Name: time_generated_high_res
    Header Type: Custom
    PanOSTunnelType
    Query Name: tunnel
    Header Type: Custom
    Device Vendor
    Query Name: vendor_name
    Header Type: Custom
    PanOSVirtualSystem
    Query Name: vsys
    Header Type: Custom
    PanOSVirtualSystemID
    Query Name: vsys_id
    Header Type: Custom
    cs3
    Query Name: vsys_name
    Header Type: Predefined

    © 2025 Palo Alto Networks, Inc. All rights reserved.