Palo Alto GlobalProtect¶
About¶
GlobalProtect™ network security client for endpoints, from Palo Alto Networks®, enables organizations to protect the mobile workforce by extending the Next-Generation Security Platform to all users, regardless of location.
Product Details¶
Vendor URL: Secure Remote Access | GlobalProtect - Palo Alto Networks
Product Type: VPN
Product Tier: Tier III
Integration Method: Syslog
Integration URL: Forward GlobalProtect Logs to an External Service in PAN-OS
Log Guide: GlobalProtect Log Fields - Palo Alto Networks
Parser Details¶
Log Format: CEF
Expected Normalization Rate: 90%
Data Label: PAN_GLOBAL_PROTECT
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| PanOSAuthMethod | extensions.auth.auth_details |
| PanOSConfigVersion | intermediary.asset.platform_software.platform_version |
| PanOSDescription | metadata.description |
| PanOSDeviceName | intermediary.hostname |
| PanOSDeviceSN | intermediary.asset.hardware.serial_number |
| PanOSEndpointDeviceName | principal.hostname |
| PanOSEndpointOSType | principal.asset.platform_software.platform |
| PanOSEndpointOSVersion | principal.asset.platform_software.platform_version |
| PanOSEndpointSN | principal.asset.hardware.serial_number |
| PanOSEventIDValue | metadata.product_event_type |
| PanOSEventStatus | security_result.action_details |
| PanOSGlobalProtectClientVersion | principal.asset.software.version |
| PanOSHostID | intermediary.asset.product_object_id |
| PanOSPortal | target.hostname |
| PanOSPrivateIPv4 | intermediary.ip |
| PanOSPrivateIPv6 | intermediary.ip |
| PanOSPublicIPv4 | intermediary.nat_ip |
| PanOSPublicIPv6 | intermediary.nat_ip |
| PanOSSequenceNo | network.session_id |
| PanOSSourceRegion | principal.location.country_or_region |
| PanOSSourceUserName | principal.user.userid |
| PanOSStage | security_result.summary |
| product | metadata.product_name |
| start | metadata.event_timestamp |
| Statically Defined | metadata.event_type |
| vendor | metadata.vendor_name |
| version | metadata.product_version |
Product Event Types¶
| type,subtype | severity | UDM Event Classification | alerting enabled |
|---|---|---|---|
| Default | STATUS_UPDATE | ||
| login, auth | USER_LOGIN | ||
| logout | USER_LOGOUT |
Log Sample¶
1414 <14>1 2022-08-10T17:16:26.008Z stream-logfwd02 logforwarder - panwlogs - CEF:0|Palo Alto Networks|LF|2.0|GLOBALPROTECT|globalprotect|3|dtz=UTC rt=Aug 10 2022 17:16:24 PanOSDeviceSN=no-serial PanOSConfigVersion=10.0 start=Aug 10 2022 17:16:15 PanOSVirtualSystem=vsys1 PanOSEventIDValue=gateway-prelogin PanOSStage=before-login PanOSAuthMethod= PanOSTunnelType= PanOSSourceUserName=jane.doe PanOSSourceRegion=US PanOSEndpointDeviceName= PanOSPublicIPv4=10.10.10.55 PanOSPublicIPv6= PanOSPrivateIPv4= PanOSPrivateIPv6= PanOSHostID=as5df40sa-as6d5f40-a6sd5f0 PanOSEndpointSN= PanOSGlobalProtectClientVersion=5.2.7 PanOSEndpointOSType=Windows PanOSEndpointOSVersion=Microsoft Windows 10 Enterprise , 64-bit PanOSCountOfRepeats=1 PanOSQuarantineReason= PanOSConnectionError= PanOSDescription=Login to: 10.10.10.170 PanOSEventStatus=success PanOSGlobalProtectGatewayLocation= PanOSLoginDuration=0 PanOSConnectionMethod= PanOSConnectionErrorID=0 PanOSPortal=GlobalProtect_External_Gateway PanOSSequenceNo=1234567890 PanOSTimeGeneratedHighResolution=Aug 10 2022 17:16:15 PanOSGatewaySelectionType= PanOSSSLResponseTime=-1 PanOSGatewayPriority= PanOSAttemptedGateways= PanOSGateway= PanOSDGHierarchyLevel1=29 PanOSDGHierarchyLevel2=0 PanOSDGHierarchyLevel3=0 PanOSDGHierarchyLevel4=0 PanOSVirtualSystemName= PanOSDeviceName=PAGP_US_EAST-1 PanOSVirtualSystemID=1
Sample Parsing¶
metadata.event_timestamp = "2022-08-10T17:16:15Z"
metadata.event_type = "USER_LOGIN"
metadata.vendor_name = "Palo Alto Networks"
metadata.product_name = "GLOBALPROTECT"
metadata.product_version = "2.0"
metadata.product_event_type = "gateway-prelogin"
metadata.description = "Login to: 10.10.10.170"
principal.user.userid = "jane.doe"
principal.location.country_or_region = "US"
principal.asset.platform_software.platform = "WINDOWS"
principal.asset.platform_software.platform_version = "Microsoft Windows 10 Enterprise , 64-bit"
principal.asset.software.name = "GlobalProtect"
principal.asset.software.version = "5.2.7"
target.hostname = "GlobalProtect_External_Gateway"
target.ip = "10.10.10.170"
target.asset.hostname = "GlobalProtect_External_Gateway"
target.asset.ip = "10.10.10.170"
intermediary.nat_ip = "10.10.10.55"
intermediary.asset.product_object_id = "as5df40sa-as6d5f40-a6sd5f0"
intermediary.asset.platform_software.platform_version = "10.0"
intermediary.hostname = "PAGP_US_EAST-1"
observer.hostname = "stream-logfwd02"
security_result.summary = "before-login"
security_result.action = "ALLOW"
security_result.action_details = "success"
network.session_id = "1234567890"
Parser Alerting¶
This product currently does not have any Parser-based Alerting
Rules¶
Coming Soon