This document describes how to create and export a report for previous logged in GlobalProtect users within the last one month.
PAN-OS does not have a predefined or custom report capability under Monitor > Reports to create a report for previously logged in GlobalProtect users.
As shown below, previously logged in GlobalProtect users can be seen in real time under Network > GlobalProtect > Gateways > Previous Users:
In order to create an exportable report for previous users:
Is this still not possible to do? Seems like a large oversite to not be able to report on users that are logged in remotely
Is there a cleaner way to get this report? I'm puring through syslog in our SIEM but not identifying specific GlobalProtect VPN activity...
@LeeSeeman, Right now, as far as I know, there is still no canned report for GP users.
I do not know of a cleaner way to do this right now. I even checked in 8.1.x to see if there was anything new in the reports, but I cannot find it.
If the string:
(eventid eq globalprotectportal-config-succ)
Is not returning any results.. do you see any other "globalprotectportal-config" entries in the logs?
Does anyone know if there is a way to schedule GlobalVPN reports, I found a way of generating them just like the artlice shows, but is there a way to shcedule them?
Monitor > Logs > User-ID seems to produce a better output for a simple list of GlobalProtect authentications
"show global-protect-gateway previous-user" provides a historical account but it would need to be pulled each day and parsed for active sessions
admin@Gateway1(active)> show global-protect-gateway previous-user
GlobalProtect Gateway: RemoteVPN (1 users)Tunnel Name : RemoteVPN-NDomain-User Name : domain\xxxxxxComputer : BEDROC_LAPTOPClient : Microsoft Windows 10 Pro , 64-bitVPN Type : Device Level VPNMobile ID :Client OS : WindowsPrivate IP : 10.1.1.10Private IPv6 : ::Public IP (connected) : 188.8.131.52Public IPv6 : ::ESP : existSSL : noneLogin Time : Sep.20 08:12:12Logout/Expiration : *Sep.20 11:19:49Reason : client logout