This FAQ is about the feature described here .     Is this feature available for Prisma Access and NGFW customers?   GlobalProtect App Log Collection is available for Prisma Access customers using 1.8 Plugin and above. It will be available soon for NGFW customers.     What platforms is this feature available for?   Windows, macOS, Linux, Android, and iOS.     Are there any OS specific limitations?   Navigate to the App Access Performance section in this document to view.     Is this feature enabled by default for all users?    Administrator has to enable this feature by setting “Enable App Log for Troubleshooting” to “Yes.” For a full list of prerequisites, visit here .     Can I enable this setting for a specific user group before doing a company-wide deployment?   Since this is available as a portal client app configuration, it can be applied to a user/user group allowing administrators to test with a small user group before attempting a company-wide deployment.     Do I have to download another certificate to secure communications between GlobalProtect on the endpoint and the Cortex Data Lake Instance?   Yes, administrators will be able to download the certificate using CLI in Prisma Access 1.8 Plugin. With Prisma Access 2.0 Innovation Plugin, administrators will be able to download the certificate using the Cloud Services plugin UI. For Prisma Access Tenants, the certificate will get downloaded to Mobile_User_Template and Location “Shared.” With NGFW deployments, admin can choose a template/template stack to download to, that the portal configuration is a part of.     Is there a diagram that explains how this works?   Admin requests the certificate from Panorama using Cloud Services Plugin 1.8 (using CLI) / 2.0 Innovation Plugin (using UI). Only innovation plugin would support the UI to generate and download the certificate. Certificate is downloaded to Panorama cert Store (1.8), Mobile_User_Template (Prisma Access Deployment), or template/template stack of admin’s choosing in case of NGFW. Admin decides to push the certificate via portal configuration. GlobalProtect authenticates with the portal GlobalProtect downloads the certificate  Whenever user has authentication, network, or connectivity issues, user reports using the GlobalProtect App These logs would be made available on Explore App     What do the logs contain? How different is it from the manual collection of logs?   Logs contain troubleshooting and diagnostics data improving the overall quality of information and presented in an easy-to-read format enhancing administrator’s ability to quickly troubleshoot connectivity, authentication, and performance issues. Troubleshooting logs contain information specific to portal and gateway connectivity, and the network state of the endpoint. Diagnostics data contains data related to the Endpoint State, Gateway Network Impairments, GlobalProtect App Health, and App Access Performance. It is worth noting that the debug log bundle (collected manually via Troubleshooting tab on GlobalProtect or via Explore App) will also contain troubleshooting and diagnostic logs. What information do each of the above troubleshooting and diagnostics tests contain?   For a full list, navigate here . Are the diagnostic tests done with/without GlobalProtect tunnel?   Yes, the Diagnostic Network Latency measurement tests are done once via GlobalProtect and once via physical adapter for administrators to compare and contrast what the latency measurements between endpoint and destination urls look like across the different interfaces.     Where are the logs sent?   Logs reported by end-users are sent to the customer’s Cortex Data Lake tenant and these logs are made available via the Explore App. Can the GlobalProtect App Troubleshooting logs be forwarded from Cortex Data Lake?   Log-forwarding is currently not supported. Coming soon in a future release. ... View more

Enabling 100% uptime and seamless secure access to business applications is a critical necessity for businesses today. COVID-19 has only accentuated this need with more working remotely through the pandemic. Yet IT organizations struggle on a daily basis to support a seamless digital experience for their remote users.   Various challenges plague the IT supportability of remote access solutions in the industry today.   When a remote user runs into connection issues, the IT Admin has no visibility on what is happening on the endpoint and has to involve the user in a complex and time-taking troubleshooting process. When a remote user complains their connection is slow or a business application is not working reliably, the IT admin has no ability to quickly diagnose the performance issues resulting in a frustrating user experience and impacting business productivity. When a remote user has issues accessing specific applications, the IT administrator has to engage in a time-consuming end-to-end troubleshooting processes to trace and resolve issues.   What stands out amongst the above pain points is the elongated admin-end user troubleshooting sessions hindering workforce productivity. With more of the general workforce being remote and supporting 100% seamless access for these end-users becoming a top priority for IT teams, Palo Alto Networks is proud to present the GlobalProtect App Log Collection capability geared towards superior IT supportability.   Starting GlobalProtect 5.2.5 App and above, and the Prisma Access 1.8 Plugin and above, administrators can enable GlobalProtect App Log Collection from Panorama to troubleshoot a range of issues including connectivity, performance, and authentication. End-users no longer have to resort to manually collecting logs and use an out-of-band channel like cloud drive to share the logs with their administrator. At the click of a button, end-users can send logs on-demand in an easy-to-read format to the customer’s Cortex Data Lake instance. These logs will be made available on the Explore App. Flexible Framework enables end-users to send logs when they are facing connectivity or authentication error scenarios on GlobalProtect or finding it difficult to load an application on the browser. Logs available on the Explore App will contain a combination of troubleshooting and diagnostics data, when stitched together empower the administrator to easily root cause the issue.     Administrator makes a request to obtain certificate required for establishing mTLS between Cortex Data Lake and GlobalProtect on employee’s endpoint Prisma Access fetches the certificate and stores in Mobile User Template GlobalProtect successfully authenticates with Prisma Access portal  GlobalProtect downloads the certificate required for mTLS session between Cortex Data Lake and itself When user reports an issue, GlobalProtect sends troubleshooting and/or diagnostic logs to a Cortex Data Lake instance Administrator can view the logs using Explore App   On the Explore App, Troubleshooting logs give the administrator access to the following sections: Portal, Gateway, and the Network State the endpoint is connected to. For a full list of key-value pairs, visit the following link. When an end-user wants to report an issue, troubleshooting logs are sent by default. Some of the questions that troubleshooting logs answer are the following:    What authentication profile was used to  authenticate against the portal/gateway? What is the split-tunnel configuration on the endpoint: Access Route/App/Domain? Is the SSL Certificate for portal/gateway valid? What protocol was used for the tunnel? Why was there a fallback from IPSec to SSL?   If needed, in addition, end-users can run GlobalProtect built-in diagnostics and share the logs with the administrator.    Employee productivity and user experience are central to the design of this feature. Access to applications in an Internal DC or in the cloud are essential to making sure employees stay productive and have a good overall digital experience. GlobalProtect can be configured to  conduct diagnostic tests against Internal and/or cloud applications deemed critical to employee productivity by the IT team. As an administrator, you’d like to not only know what the network latency measurements look like when GlobalProtect is turned on but compare and contrast it against the physical adapter network measurements. Following are the network measurement diagnostic tests conducted on these applications that are essential to providing a comprehensive picture about your employee’s digital experience.   Apart from the network diagnostics, GlobalProtect can run a whole slew of tests and provide necessary information like GlobalProtect App Health, Gateway Network Impairments, and Endpoint State. This adds a layer of clarity helping administrator zero in on the issue as quickly as possible.   Once these logs are sent by end-user, administrators can take advantage of easy on the eye Explore App to: search issues by column names like username or reportID etc find patterns around common issues reported by end-users download debug log bundle per issue   GlobalProtect App Log Collection will co-exist with the manual collection of logs, a troubleshooting feature that’s supported on GlobalProtect since 4.1. Since GlobalProtect App Log Collection can be enabled at a user group level, administrators during a PoC, can make this available to a small group of users before rolling it out to production. With this, it is possible for administrators to easily zero in on connection, authentication, and performance issues and ensure employees stay productive during any stage of the deployment.    The inclusion of GlobalProtect App Log Collection to bolster IT supportability and user experience makes GlobalProtect, a core component of Palo Alto Networks’ offering an even more compelling, industry-leading, ZTNA product.   For a list of prerequisites, click here. ... View more