How to generate a comprehensive GlobalProtect VPN Reports

cancel
Showing results for 
Search instead for 
Did you mean: 

How to generate a comprehensive GlobalProtect VPN Reports

L0 Member

Hi

 

I am trying to create a weekly comprehensive GP VPN Report

I want it grouped by users and sorted by activity time

 

For that I have created a custom report with ( eventid eq gateway-logout ) as query and "Last Calendar Week" as time frame

Now I am trying to set the sort and group-by BUT I cannot set the "generated-time" as sort and even worse the group-by selection is limited to 50 so the final report is limited to the first 50 users ... which is not close to the actual list of GP users

 

I would appreciate some help with this

 

Thx

3 REPLIES 3

Cyber Elite
Cyber Elite

Howdy

So, using the Device GlobalProtect Log, the choice to "sort by" and device generated is not available.

SteveCantwell_0-1628189525168.png

 

 

 

There is limited support in what the LiveCommunity would be able to do.

 

I am not sure what exact columns you are choosing, but I am messing with the different views and have over 500 hits in my report for when user logged in. You may be best to screen capture and upload the exact report, what columns you are using and we can try to find something that may work.  All trial and error. 

 

You may want to contact your PANW SE and open a FR ticket (Feature Request).

 

Good Luck.

Help the community: Like helpful comments and mark solutions

Hi Steve

 

Well, I have fiddled with this for a while... trying any other sort/group combination (yours above included ... BTW the "users" field doesn't return what one would expect but rather the user count attached to the activity which in the case of VPN is always 1) but none provides the requested format

 

The problem is there is a design limit of the group-by to maximum 50 (why??)

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-reports/custom-...

 

So either I don't set the group-by at all

Admin4Ceva_0-1628252162146.png

And get a "log" style report (not even sorted by time), export it as csv and use some other sw tool to sort/group and produce a readable PDF...

 

Or add the group-by source/user that shrinks the sort to a 500 records max and even more problematic the group (i.e. VPN users) to a maximum of 50... dumping/ignoring all the rest

Admin4Ceva_1-1628252544669.png

The resultant limited report now still isn't sorted by time but at least it is grouped by users

Just to clarify:

The ungrouped report returns 2493 records (or a 41 pages PDF)

the group-by report returns only 891 records (or a 15 pages PDF)

 

In any case both reports are useless

Cyber Elite
Cyber Elite

@Admin4Ceva,

I would highly recommend forwarding these logs to something like Graylog or Splunk and building these sorts of reports there. The firewalls reporting capabilities leaves quite a bit to be desired in this regard where you won't have near the same limitations through something like Graylog. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!