I am trying to create a weekly comprehensive GP VPN Report
I want it grouped by users and sorted by activity time
For that I have created a custom report with ( eventid eq gateway-logout ) as query and "Last Calendar Week" as time frame
Now I am trying to set the sort and group-by BUT I cannot set the "generated-time" as sort and even worse the group-by selection is limited to 50 so the final report is limited to the first 50 users ... which is not close to the actual list of GP users
I would appreciate some help with this
So, using the Device GlobalProtect Log, the choice to "sort by" and device generated is not available.
There is limited support in what the LiveCommunity would be able to do.
I am not sure what exact columns you are choosing, but I am messing with the different views and have over 500 hits in my report for when user logged in. You may be best to screen capture and upload the exact report, what columns you are using and we can try to find something that may work. All trial and error.
You may want to contact your PANW SE and open a FR ticket (Feature Request).
Well, I have fiddled with this for a while... trying any other sort/group combination (yours above included ... BTW the "users" field doesn't return what one would expect but rather the user count attached to the activity which in the case of VPN is always 1) but none provides the requested format
The problem is there is a design limit of the group-by to maximum 50 (why??)
So either I don't set the group-by at all
And get a "log" style report (not even sorted by time), export it as csv and use some other sw tool to sort/group and produce a readable PDF...
Or add the group-by source/user that shrinks the sort to a 500 records max and even more problematic the group (i.e. VPN users) to a maximum of 50... dumping/ignoring all the rest
The resultant limited report now still isn't sorted by time but at least it is grouped by users
Just to clarify:
The ungrouped report returns 2493 records (or a 41 pages PDF)
the group-by report returns only 891 records (or a 15 pages PDF)
In any case both reports are useless
I would highly recommend forwarding these logs to something like Graylog or Splunk and building these sorts of reports there. The firewalls reporting capabilities leaves quite a bit to be desired in this regard where you won't have near the same limitations through something like Graylog.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!