Is it possible that you aren't logging the rule associated with the traffic? facebook-base is pretty easily identified on the firewall even if the traffic isn't being decrypted, so if you aren't seeing anything I'd assume that it either isn't being logged or nobody is actually visiting the site.
The matching rule would need to be configured to not log the traffic. You'd have to look at the rule that would allow Facebook traffic and ensure that it's setup to log properly. You can test the traffic against your rulebase using the 'Test Security Policy Match' feature in the GUI from your Security policies page, or use the 'test security-policy-match' command via the CLI.
There should be no reason outside of the matching policy being set to not log that specifically Facebook wouldn't show up in your traffic logs.
If the security policy is setup to log and it's not logging Facebook, and it's only happening on VPN traffic, are you potentially sending the traffic out locally? I'd review that you don't have anything configured in GlobalProtect's agent config to only send internal routes through GlobalProtect or have otherwise excluded the Facebook domains as an excluded domain.
I figured out that the issue is caused by the fact that we are using duo mfa and the user in duo mfa is different from what is in the AD user group applied to the rule so that is why any user works and I was looking for the wrong user in the log so that is why I did not see it. I added a alias in duo that matches the AD usersname but it still didn't work, Any idea
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!