How to Run a Report for Previous Logged in GlobalProtect Users

Printer Friendly Page


This document describes how to create and export a report for previous logged in GlobalProtect users within the last one month.



PAN-OS does not have a predefined or custom report capability under Monitor > Reports to create a report for previously logged in GlobalProtect users.


As shown below, previously logged in GlobalProtect users can be seen in real time under Network > GlobalProtect > Gateways > Previous Users:



In order to create an exportable report for previous users:

  1. Go to Monitor > Logs > System logs, filter the logs using:
    (eventid eq globalprotectportal-config-succ) and (receive_time in last-calendar-month):

  2. Click on the Excel icon on the top right-hand side of the page and download the file:


owner: kadak

Tags (4)

Is this still not possible to do? Seems like a large oversite to not be able to report on users that are logged in remotely

Is there a cleaner way to get this report? I'm puring through syslog in our SIEM but not identifying specific GlobalProtect VPN activity...

@LeeSeeman, Right now, as far as I know, there is still no canned report for GP users. 

I do not know of a cleaner way to do this right now. I even checked in 8.1.x to see if there was anything new in the reports, but I cannot find it.


If the string:

(eventid eq globalprotectportal-config-succ)

Is not returning any results.. do you see any other "globalprotectportal-config" entries in the logs?


Does anyone know if there is a way to schedule GlobalVPN reports, I found a way of generating them just like the artlice shows, but is there a way to shcedule them?

Monitor > Logs > User-ID seems to produce a better output for a simple list of GlobalProtect authentications

"show global-protect-gateway previous-user" provides a historical account but it would need to be pulled each day and parsed for active sessions


admin@Gateway1(active)> show global-protect-gateway previous-user

GlobalProtect Gateway: RemoteVPN (1 users)
Tunnel Name : RemoteVPN-N
Domain-User Name : domain\xxxxxx
Client : Microsoft Windows 10 Pro , 64-bit
VPN Type : Device Level VPN
Mobile ID :
Client OS : Windows
Private IP :
Private IPv6 : ::
Public IP (connected) :
Public IPv6 : ::
ESP : exist
SSL : none
Login Time : Sep.20 08:12:12
Logout/Expiration : *Sep.20 11:19:49
Reason : client logout