Ingest GlobalProtect logs to Cortex

T.Nurmi · ‎03-31-2026

Hi. We are ingest data from Paloalto Firewall which using GlobalProtect feature and now we need send logs through Broker Vm setup. We can't use native integrations so syslog is only option. We get data and i see that dataset is > dataset = palo_alto_networks_lf_raw and i notice that not work with example some detection rules, so that is not used really in a analytics. So i create parsing rule> [INGEST: vendor="paloalto", product="LF", target_dataset="palo_alto_networks_lf_raw"]
filter subtype = "globalprotect"
| alter _target_dataset = "panw_ngfw_globalprotect_raw";

But it just create new dataset and not see any detection with GlobalProtect rules. So Here is documentation https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-5.x-Documentation/Ingest-Next-Gener... But now mention any GlobalProtect. So any ideas ?

susekar · ‎04-03-2026

Hello @T.Nurmi ,

Greetings for the day.

Ingesting GlobalProtect logs through the Broker VM Syslog collector is not officially supported for the purpose of automatic parsing and standard analytics detections.

Why Your Parsing Rule is Not Working:

The parsing rule you created simply moves raw data from one dataset name to another. However, detection rules and the Analytics engine require data to be normalized into specific fields (e.g., source user, public IP, event status) according to a predefined schema. Moving unparsed strings into panw_ngfw_globalprotect_raw does not trigger detections because the fields remain unmapped in the raw log.

Workaround: Custom CEF Format:

If you cannot use native integration, you must configure a specific Custom Log Format on your Firewall's Syslog Server Profile to ensure the Broker VM and XDR can identify the fields.

Steps:

On the Firewall/Panorama, go to Device > Server Profiles > Syslog.
Select your Broker VM profile and go to the Custom Log Format tab.
For the GlobalProtect log type, paste the following (ensure no line breaks):

CEF:0|PANW|NGFW_CEF|$sender_sw_version|$type|$subtype|5|rt=$receive_time PanOSDeviceSN=$serial PanOSLogTimeStamp=$time_generated PanOSVirtualSystem=$vsys PanOSEventID=$eventid PanOSStage=$stage PanOSAuthMethod=$auth_method PanOSTunnelType=$tunnel_type PanOSSourceUserName=$srcuser PanOSSourceRegion=$srcregion PanOSEndpointDeviceName=$machinename PanOSPublicIPv4=$public_ip PanOSPublicIPv6=$public_ipv6 PanOSPrivateIPv4=$private_ip PanOSPrivateIPv6=$private_ipv6 PanOSHostID=$hostid PanOSDeviceSN=$serialnumber PanOSGlobalProtectClientVersion=$client_ver PanOSEndpointOSType=$client_os PanOSEndpointOSVersion=$client_os_ver PanOSCountOfRepeats=$repeatcnt PanOSQuarantineReason=$reason PanOSConnectionError=$error PanOSDescription=$opaque PanOSEventStatus=$status PanOSGPGatewayLocation=$location PanOSLoginDuration=$login_duration PanOSConnectionMethod=$connect_method PanOSConnectionErrorID=$error_code PanOSPortal=$portal PanOSSequenceNo=$seqno PanOSActionFlags=$actionflags PanOSTimeGeneratedHighResolution=$high_res_timestamp PanOSGatewaySelectionType=$selection_type PanOSSSLResponseTime=$response_time PanOSGatewayPriority=$priority PanOSAttemptedGateways=$attempted_gateways PanOSGateway=$gateway

Important Notes:

This format identifies the vendor as PANW and product as NGFW_CEF, which triggers the standard XDR parser.
Even with this format, some Behavioral Indicators of Compromise (BIOCs) or Analytics rules may still fail to trigger if they rely on enriched or stitched data only available via native integration.
Ensure your Broker VM Syslog Applet is set to CEF or Auto-detect.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

Thanks & Regards,
S. Subashkar Sekar

Unlock your full community experience!

Ingest GlobalProtect logs to Cortex