topic Re: SSL VPN event logging... in GlobalProtect Discussions

SSL VPN event logging...

megrez80 — Tue, 28 Jul 2020 19:56:06 GMT

Does the Global Protect functionality produce logs that can be then forwarded to a remote syslog server?

Re: SSL VPN event logging...

BPry — Tue, 28 Jul 2020 20:27:28 GMT

Yes. How you would go about doing so is slightly different due to the recent changes to log location in 9.1+ for GlobalProtect, but you have forwarding options across every release. What exactly are you looking to forward, and what what release are you actively running?

Re: SSL VPN event logging...

megrez80 — Wed, 29 Jul 2020 11:47:59 GMT

I want to get connect/disconnect events and possibly session statistics.

I'm currently on 9.1.0-h3.

Re: SSL VPN event logging...

BPry — Thu, 30 Jul 2020 17:46:41 GMT

@megrez80,

Are you actually still running 9.1.0? If so, I would migrate to a newer release so you get some of those all important bug fixes from that initial release.

More directly to your question, under your device Log Settings you would want to add entries under the GlobalProtect logs. You would simply want an entry to capture the login/logout stage, as the logout event will include the login duration field which is measured in seconds.

((stage eq login) or (stage eq logout)) and not (auth_method eq Cookie)

Note that I've selected to not show Cookie authentications, but whether or not you include that statement is up to you and your configuration. Arguably, if your syslog server has enough space you might want to just not include a filter and keep 'All Logs' specified so your syslog server gets everything, but that may not be needed in your case.

Re: SSL VPN event logging...

megrez80 — Fri, 31 Jul 2020 20:11:34 GMT

I got vpn event syslog forwarding to work with the configuration step you specified, but the Syslog Server Profile I used had to also be associated with a Log Forwarding Profile. In the Log Forwarding Profile where you specify the Log Type (eg. auth, traffic, tunnel) it did not matter what I used.

Re: SSL VPN event logging...

BPry — Fri, 31 Jul 2020 20:19:33 GMT

@megrez80,

The wording of your post above was kind of garbled. Are you still having an issue with this or are you good at this point?

Re: SSL VPN event logging...

megrez80 — Fri, 31 Jul 2020 20:24:57 GMT

Sorry for the confusion. It's working, regardless of the Log Forwarding Profile Log Type specified.

Re: SSL VPN event logging...

megrez80 — Mon, 03 Aug 2020 12:52:02 GMT

So now that it's working, I'd like to be able to send thru an IPsec tunnel to a collector on the other end.

I have set my SysLog Server profile with the target IP address, but the logs aren't getting into the tunnel.

Is there a trick to accomplish this?

Re: SSL VPN event logging...

megrez80 — Mon, 03 Aug 2020 13:22:47 GMT

It's now getting into the tunnel. I had to set a source interface/address on the syslog service route.