How to Check User Access by GlobalProtect for Specific Time Period
111892
Created On 09/25/18 17:27 PM - Last Modified 04/29/20 16:42 PM
Symptom
How to Check User Access by GlobalProtect for Specific Time Period
Environment
- Pan-OS
- Global Protect
Resolution
To see all users who accessed GlobalProtect VPN for a particular period of time, use the following CLI command:
> show log system eventid equal globalprotectportal-auth-succ start-time equal 2014/04/22@14:00:00 end-time equal 2014/04/22@14:12:00 csv-output equal yes
The output will be similar to the following:
Domain,Receive Time,Serial #,Type,Threat/Content Type,Config Version,Generate Time,Virtual System,eventid,object,fmt,id,module,Severity,Description,seqno,actionflags 1,2014/04/22 14:11:22,007101000242,SYSTEM,globalprotect,0,2014/04/22 14:11:22,,globalprotectportal-auth-succ,portal,0,0,general,informational,"GlobalProtect portal user authentication succeeded. Login from: 192.168.33.68, User name: gpuser, Auth type: profile.",27187,0x0
On the GUI, navigate to Monitor > Logs > System and filter using :
(eventid eq globalprotectportal-auth-succ) and (receive_time geq '2014/04/22 14:00:00') and (receive_time leq '2014/04/22 14:12:00').
The data can then be exported to CSV format.
owner: rsreejith