Skip to content

Palo Alto GlobalProtect

Palo Alto GlobalProtect

About

GlobalProtect™ network security client for endpoints, from Palo Alto Networks®, enables organizations to protect the mobile workforce by extending the Next-Generation Security Platform to all users, regardless of location.

Product Details

Vendor URL: Secure Remote Access | GlobalProtect - Palo Alto Networks

Product Type: VPN

Product Tier: Tier III

Integration Method: Syslog

Integration URL: Forward GlobalProtect Logs to an External Service in PAN-OS

Log Guide: GlobalProtect Log Fields - Palo Alto Networks

Parser Details

Log Format: CEF

Expected Normalization Rate: 90%

Data Label: PAN_GLOBAL_PROTECT

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
PanOSAuthMethod extensions.auth.auth_details
PanOSConfigVersion intermediary.asset.platform_software.platform_version
PanOSDescription metadata.description
PanOSDeviceName intermediary.hostname
PanOSDeviceSN intermediary.asset.hardware.serial_number
PanOSEndpointDeviceName principal.hostname
PanOSEndpointOSType principal.asset.platform_software.platform
PanOSEndpointOSVersion principal.asset.platform_software.platform_version
PanOSEndpointSN principal.asset.hardware.serial_number
PanOSEventIDValue metadata.product_event_type
PanOSEventStatus security_result.action_details
PanOSGlobalProtectClientVersion principal.asset.software.version
PanOSHostID intermediary.asset.product_object_id
PanOSPortal target.hostname
PanOSPrivateIPv4 intermediary.ip
PanOSPrivateIPv6 intermediary.ip
PanOSPublicIPv4 intermediary.nat_ip
PanOSPublicIPv6 intermediary.nat_ip
PanOSSequenceNo network.session_id
PanOSSourceRegion principal.location.country_or_region
PanOSSourceUserName principal.user.userid
PanOSStage security_result.summary
product metadata.product_name
start metadata.event_timestamp
Statically Defined metadata.event_type
vendor metadata.vendor_name
version metadata.product_version

Product Event Types

type,subtype severity UDM Event Classification alerting enabled
Default STATUS_UPDATE
login, auth USER_LOGIN
logout USER_LOGOUT

Log Sample

1414 <14>1 2022-08-10T17:16:26.008Z stream-logfwd02 logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|dtz=UTC rt=Aug 10 2022 17:16:24 PanOSDeviceSN=no-serial PanOSConfigVersion=10.0 start=Aug 10 2022 17:16:15 PanOSVirtualSystem=vsys1 PanOSEventIDValue=gateway-prelogin PanOSStage=before-login PanOSAuthMethod= PanOSTunnelType= PanOSSourceUserName=jane.doe PanOSSourceRegion=US PanOSEndpointDeviceName= PanOSPublicIPv4=10.10.10.55 PanOSPublicIPv6= PanOSPrivateIPv4= PanOSPrivateIPv6= PanOSHostID=as5df40sa-as6d5f40-a6sd5f0 PanOSEndpointSN= PanOSGlobalProtectClientVersion=5.2.7 PanOSEndpointOSType=Windows PanOSEndpointOSVersion=Microsoft Windows 10 Enterprise , 64-bit PanOSCountOfRepeats=1 PanOSQuarantineReason= PanOSConnectionError= PanOSDescription=Login to: 10.10.10.170 PanOSEventStatus=success PanOSGlobalProtectGatewayLocation= PanOSLoginDuration=0 PanOSConnectionMethod= PanOSConnectionErrorID=0 PanOSPortal=GlobalProtect_External_Gateway PanOSSequenceNo=1234567890 PanOSTimeGeneratedHighResolution=Aug 10 2022 17:16:15 PanOSGatewaySelectionType= PanOSSSLResponseTime=-1 PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=29 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PAGP_US_EAST-1 PanOSVirtualSystemID=1

Sample Parsing

metadata.event_timestamp = "2022-08-10T17:16:15Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Palo Alto Networks"
metadata.product_name = "GLOBALPROTECT"
metadata.product_version = "2.0"
metadata.product_event_type = "gateway-prelogin"
metadata.description = "Login to: 10.10.10.170"
principal.user.userid = "jane.doe"
principal.location.country_or_region = "US"
principal.asset.platform_software.platform = "WINDOWS"
principal.asset.platform_software.platform_version = "Microsoft Windows 10 Enterprise , 64-bit"
principal.asset.software.name = "GlobalProtect"
principal.asset.software.version = "5.2.7"
target.hostname = "GlobalProtect_External_Gateway"
target.ip = "10.10.10.170"
target.asset.hostname = "GlobalProtect_External_Gateway"
target.asset.ip = "10.10.10.170"
intermediary.nat_ip = "10.10.10.55"
intermediary.asset.product_object_id = "as5df40sa-as6d5f40-a6sd5f0"
intermediary.asset.platform_software.platform_version = "10.0"
intermediary.hostname = "PAGP_US_EAST-1"
observer.hostname = "stream-logfwd02"
security_result.summary = "before-login"
security_result.action = "ALLOW"
security_result.action_details = "success"
network.session_id = "1234567890"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon