Skip to main content
Skip table of contents

GlobalProtect Status Messages

Vendor Documentation

Classification

Rule NameRule TypeClassificationCommon Event
GlobalProtect Status MessagesBase RuleOther AuditGeneral Authentication Event
Remote Authentication FailureSub RuleAuthentication FailureUser Logon Failure
Remote Authentication SuccessSub RuleAuthentication SuccessUser Logon
Remote Session LogoffSub RuleAuthentication SuccessUser Logoff

Mapping with LogRhythm Schema

Device Key in Log Message

LogRhythm SchemaData TypeSchema Description
N/A N/AN/AdeviceVendor
N/AN/A N/AdeviceProduct
N/AN/A N/AVersion
N/A<vmid>Text/StringLogType
N/AN/A N/ASubType
N/A<severity>NumberdeviceSeverity
ProfileTokenN/AN/A N/A
dtzN/AN/A N/A
rtN/AN/ATime the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
PanOSDeviceSNN/AN/AID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
PanOSConfigVersionN/AN/AVersion number of the firewall operating system that wrote this log record.
startN/AN/ATime when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
PanOSVirtualSystemN/AN/AString representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
PanOSEventIDValueN/AN/AThe name of the event.
PanOSStage<status>
<tag1>
Text/StringName of the stage in the GlobalProtect connection workflow.
PanOSAuthMethod N/AN/AAuthentication method used for the GlobalProtect connection.
PanOSTunnelType N/AN/ATunnel Type i.e. SSL or VPN.
PanOSSourceUserName<login>Text/StringThe username that connected.
PanOSSourceRegion
N/ARegion of the Gateway (or User) that connected.
PanOSEndpointDeviceName<sname>Text/StringName of the device that the user used for the connection.
PanOSPublicIPv4<sip>IP AddressPublic IP address (v4) of the user that connected.
PanOSPublicIPv6<sip>IP AddressPublic IP address (v6) of the user that connected.
PanOSPrivateIPv4<snatip>IP AddressPrivate IP address (v4) of the user that connected.
PanOSPrivateIPv6<snatip>IP AddressPrivate IP address (v6) of the user that connected.
PanOSHostIDN/AN/AUnique identifier GlobalProtect has assigned to the host.
PanOSEndpointSNN/AN/AID that uniquely identifies the endpoint on which the GlobalProtect client is deployed.
PanOSGlobalProtectClientVersionN/AN/AGlobalProtect client version number.
PanOSEndpointOSTypeN/AN/AOS type of the endpoint on which the GlobalProtect client is deployed.
PanOSEndpointOSVersionN/AN/AOS version of the endpoint on which the GlobalProtect client is deployed.
PanOSRepeatCountN/AN/ANumber of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
PanOSQuarantineReason<reason>Text/StringQuarantine reason.
PanOSConnectionError N/AN/AError information for unsuccessful connection.
PanOSDescription<vendorinfo>Text/StringAdditional information regarding the event.
PanOSEventStatus<result>
<tag2>
Text/StringThe status (success or failure) of the event.
PanOSGlobalProtectGatewayLocation N/AN/ALocation of the Global Protect Gateway.
PanOSLoginDuration<seconds>NumberDuration for which the connected user was logged on.
PanOSConnectionMethod N/AN/AIdentifies how the GlobalProtect app connected to the the Gateway. For example, on-demand or user-logon.
PanOSConnectionErrorID N/AN/AEnumeration integer assigned to the connection_error field value.
PanOSPortal N/AN/AGlobal Protect Portal or Gateway that the user connected to.
PanOSSequenceNo<serialnumber>NumberThe log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSTimeGeneratedHighResolutionN/AN/ATime the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH
PanOSGatewaySelectionTypeN/AN/AGateway Selection Method i.e automatic, preferred or manual.
PanOSSSLResponseTimeN/AN/ASSL Response Time in milliseconds.
PanOSGatewayPriorityN/AN/APriority of gateway, retrieved from portal configuration.
PanOSAttemptedGatewaysN/AN/AString of all gateways that were available and attempted for the client location. Contains gateway name, ssl response time, and priority, separated by a semicolon.
PanOSGatewayN/AN/ASelected Gateway for the connection.
PanOSDGHierarchyLevel1N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4N/AN/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemNameN/AN/AThe name of the virtual system associated with the network traffic.
PanOSDeviceNameN/AN/AName of the source of the log. That is, the hostname of the firewall that logged the network traffic.
PanOSVirtualSystemIDN/AN/AA unique identifier for a virtual system on a Palo Alto Networks firewall.
PanOSCortexDataLakeTenantIDN/AN/AThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSIsDuplicateLogN/AN/AIndicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSLogExportedN/AN/AIndicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwardedN/AN/AInternal-use field that indicates if the log is being forwarded.
PanOSIsPrismaNetworksN/AN/AInternal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsersN/AN/AInternal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
PanOSLogSourceN/AN/AIdentifies the origin of the data. That is, the system that produced the data.
PanOSLogSourceTimeZoneOffsetN/AN/ATime Zone offset from GMT of the source of the log.
sntdom<domainorigin>Text/StringDomain to which the Source User belongs.
susername<login>Text/StringThe Source User. That is, the username that initiated the network traffic.
suid, duid N/AN/AUnique identifier assigned to the Source User.
dntdom<domainimpacted>Text/StringDomain to which the destination User belongs.
dusername<account>Text/StringThe Destination User. That is, the username to which the network traffic was destined.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.