Useful GlobalProtect CLI Commands

Printer Friendly Page


This document is intended to provide a list of GlobalProtect CLI commands to help in troubleshooting sessions, users and statistics.



Below is a list of commands for “> show global-protect-gateway” that are currently available: (Each give specific information that will be valuable depending on what is being examined)

Command Description
current-satellite Show current GlobalProtect gateway satellites
current-user Show current GlobalProtect gateway users
flow Show dataplane GlobalProtect gateway tunnel information
flow-site-to-site Show dataplane GlobalProtect site-to-site gateway tunnel information
gateway Show list of GlobalProtect gateway configuration
previous-satellite Show previous GlobalProtect gateway satellites
previous-user Show previous user session for GlobalProtect gateway users
statistics Show statistics of current GlobalProtect gateway users



Below are some of the commands above and the output that can be expected:

> show global-protect-gateway flow

total tunnels configured:                                     1

filter - type GlobalProtect-Gateway, state any


total GlobalProtect-Gateway tunnel shown:                     1


id    name                  local-i/f         local-ip        tunnel-i/f


2     gp-gateway-N          ethernet1/3      tunnel.26



> show global-protect-gateway current-user

GlobalProtect Gateway: gp-gateway (1 users)

Tunnel Name          : gp-gateway-N

        Domain-User Name          : :test

        Computer                  : HOST17-WIN7-64

        Client                    : Microsoft Windows 7 Enterprise Edition Service Pack 1, 64-bit

        Private IP                :

        Public IP                 :

        ESP                       : removed

        SSL                       : exist

        Login Time                : Aug.12 17:12:34

        Logout/Expiration         : Sep.11 17:12:34

        TTL                       : 2591960

        Inactivity TTL            : 10760



> show global-protect-gateway gateway

GlobalProtect Gateway: gp-gateway (1 users)

Tunnel Type          : remote user tunnel

Tunnel Name          : gp-gateway-N

        Tunnel ID                 : 2

        Tunnel Interface          : tunnel.26

        Encap Interface           : ethernet1/3

        Inheritance From          :

        Local Address             :

        SSL Server Port           : 443

        IPSec Encap               : no

        HTTP Redirect             : no

        UDP Port                  : 4501

        Max Users                 : 0

        IP Pool Ranges            : -;

        IP Pool index             : 0

        Next IP                   :

        DNS Servers               :


        Access Routes             :;

        VSYS                      : vsys1 (id 1)

        SSL Server Cert           : iamportal

        Auth Profile              : local

        Client Cert Profile       :

        Lifetime                  : 2592000 seconds

        Idle Timeout              : 10800 seconds



owner: panagent


For PAN > 4.0

admin@PA> show global-protect-gateway current-user

admin@PA> show global-protect-gateway gateway

 Can a global-protect-gateway previous-user be deleted or removed?

@DEngelhardt, I responded to your other question on this article about the same question.