How to Check User Access by GlobalProtect for Specific Time Period

How to Check User Access by GlobalProtect for Specific Time Period

111892
Created On 09/25/18 17:27 PM - Last Modified 04/29/20 16:42 PM


Symptom


How to Check User Access by GlobalProtect for Specific Time Period

Environment


  • Pan-OS
  • Global Protect

Resolution


 

To see all users who accessed GlobalProtect VPN for a particular period of time, use the following CLI command:
  
> show log system eventid equal globalprotectportal-auth-succ start-time equal 2014/04/22@14:00:00 end-time equal 2014/04/22@14:12:00 csv-output equal yes
 

The output will be similar to the following:

 

Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate Time,Virtual System,eventid,object,fmt,id,module,Severity,Description,seqno,actionflags

1,2014/04/22 14:11:22,007101000242,SYSTEM,globalprotect,0,2014/04/22 14:11:22,,globalprotectportal-auth-succ,portal,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 192.168.33.68, User name: gpuser, Auth type: profile.",27187,0x0
 

 

On the GUI, navigate to Monitor > Logs > System and filter using :

(eventid eq globalprotectportal-auth-succ) and (receive_time geq '2014/04/22 14:00:00') and (receive_time leq '2014/04/22 14:12:00').


The data can then be exported to CSV format.

gui.JPG

 

owner: rsreejith
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFTCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language