How to generate GlobalProtect VPN Reports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to generate GlobalProtect VPN Reports

L2 Linker

Is there any way to provide reporting for GlobalProtect remote access VPN. Like for example I want a report of users who have connected in the past week, etc. How do i generate those reports?

1 accepted solution

Accepted Solutions

@bhakti1213,

So this report will really only be helpful if you are aiming to get which user logged in when. I would likely set it up so that the Culumns has the User, IP, Source Name, Device Name, Day, Count, and Source Type present (Possible Hour). Then you would control the time in which you are searching via the 'Time Frame' field when you are building the custom report. 

 

What the report should give you at the end of the day is essentially that user 'bpry' logged into globalprotect on Sun, Jun 24, 2018 a total of 3 times. Since you aren't looking at the actual GlobalProtect information that's all you'll be able to view. 

View solution in original post

20 REPLIES 20

Community Team Member

Hi @bhakti1213,

 

I found the following article about this :

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Run-a-Report-for-Previous-Logged-in-...

 

Cheers !

-Kiwi.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Will this allow me to generate the reports? Like for example a report covering a week with concurrent users per hour?

I never found any way of doing this on the PA itself.

 

I send to syslog and then run linux scripts to search files for succesful gateway auths and group them in date chunks.

 

no great detail is available but all of our departments pay for the VPN service and they like to know who is actually using it, when they used it and how often...

 

I also run scripts that use curl to call API's to monitor connections per gateway on a regular basis.

 

 

 

 

Does anyone know if there is a way to schedule GlobalVPN reports, I found a way of generating them just like the artlice shows, but is there a way to shcedule them?

Does anyone know if there is a way to schedule GlobalVPN reports, I found a way of generating them just like the artlice shows, but is there a way to shcedule them?

Not sure how you would do it with the system logs, as they aren't an option within custom reports as you've likely already found out. You could likely script something with the API to run the query and actually export the results? 

You could do the a kind of similar report simply by using the user-id logs since that is something you can actually build a Custom Report on, then you could schedule. The Query would simply be ( datasource eq vpn-client ) and you can then run a report to see which users logged in on which days. That might be enough for what you are looking for? 

Will that report telll me the pervious logged on users with ( datasource eq vpn-client )?

@bhakti1213,

Yes; the user-id logs with the ( datasource eq vpn-client) will return all users who logged in during the time period you've specified. 

Is the the only query I am suppose to put because when I run the report it does not give me that much results.  Or do I put 

 

 ( database eq vpn-client) and (receive_time in last-calendar-month)

 

aslo the user log will be trhe device user logs right?

@bhakti1213,

So this report will really only be helpful if you are aiming to get which user logged in when. I would likely set it up so that the Culumns has the User, IP, Source Name, Device Name, Day, Count, and Source Type present (Possible Hour). Then you would control the time in which you are searching via the 'Time Frame' field when you are building the custom report. 

 

What the report should give you at the end of the day is essentially that user 'bpry' logged into globalprotect on Sun, Jun 24, 2018 a total of 3 times. Since you aren't looking at the actual GlobalProtect information that's all you'll be able to view. 

Ok that is the report that I am looking for. For the Query section I should only put the query you gave me correct? And thanks for your help, greatly appericate it!!!

One last question do you know if this report can provide x number of users per hour (concurrent)

@bhakti1213,

Correct, you just need the query in the earlier post (note that I modified it as I had specified the wrong thing). This report isn't able to view concurrent number of users as it isn't reading the actual GlobalProtect data. 

Then for that do you know any way if that is possible to get that in the report, any query? This report is 95% complete just need that small thing to complete this report. Is there any way?

  • 1 accepted solution
  • 21031 Views
  • 20 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!