How to Run a Report for Previous Logged in GlobalProtect Users

Printer Friendly Page

Overview

This document describes how to create and export a report for previous logged in GlobalProtect users within the last one month.

 

Details

PAN-OS does not have a predefined or custom report capability under Monitor > Reports to create a report for previously logged in GlobalProtect users.

 

As shown below, previously logged in GlobalProtect users can be seen in real time under Network > GlobalProtect > Gateways > Previous Users:

 

Steps

In order to create an exportable report for previous users:

  1. Go to Monitor > Logs > System logs, filter the logs using:
    (eventid eq globalprotectportal-config-succ) and (receive_time in last-calendar-month):


  2. Click on the Excel icon on the top right-hand side of the page and download the file:

 

owner: kadak

Tags (4)
Comments

Is this still not possible to do? Seems like a large oversite to not be able to report on users that are logged in remotely

Is there a cleaner way to get this report? I'm puring through syslog in our SIEM but not identifying specific GlobalProtect VPN activity...

@LeeSeeman, Right now, as far as I know, there is still no canned report for GP users. 

I do not know of a cleaner way to do this right now. I even checked in 8.1.x to see if there was anything new in the reports, but I cannot find it.

 

If the string:

(eventid eq globalprotectportal-config-succ)

Is not returning any results.. do you see any other "globalprotectportal-config" entries in the logs?

 

Does anyone know if there is a way to schedule GlobalVPN reports, I found a way of generating them just like the artlice shows, but is there a way to shcedule them?

Monitor > Logs > User-ID seems to produce a better output for a simple list of GlobalProtect authentications

"show global-protect-gateway previous-user" provides a historical account but it would need to be pulled each day and parsed for active sessions

 


admin@Gateway1(active)> show global-protect-gateway previous-user


GlobalProtect Gateway: RemoteVPN (1 users)
Tunnel Name : RemoteVPN-N
Domain-User Name : domain\xxxxxx
Computer : BEDROC_LAPTOP
Client : Microsoft Windows 10 Pro , 64-bit
VPN Type : Device Level VPN
Mobile ID :
Client OS : Windows
Private IP : 10.1.1.10
Private IPv6 : ::
Public IP (connected) : 73.255.54.58
Public IPv6 : ::
ESP : exist
SSL : none
Login Time : Sep.20 08:12:12
Logout/Expiration : *Sep.20 11:19:49
Reason : client logout