Which Windows Terminal Service events does GlobalProtect track to manage user sessions?
920
Created On 05/15/25 09:35 AM - Last Modified 08/15/25 20:29 PM
Question
What are the event types recorded in PanGPS.log, and which of these events correspond to Windows Terminal Events?
#pangps
(P5104-T5108)Debug( 348): Received session change, event type 6, session 1
(P5104-T5108)Debug( 348): Received session change, event type 2, session 1
(P5104-T5108)Debug( 348): Received session change, event type 4, session 2
(P5104-T5108)Debug( 348): Received session change, event type 1, session 2
(P5104-T5108)Debug( 348): Received session change, event type 5, session 2
(P5104-T5108)Debug( 348): Received session change, event type 7, session 2
(P5104-T5108)Debug( 348): Received session change, event type 8, session 2
(P5104-T5108)Debug( 348): Received session change, event type 7, session 2
(P5104-T5108)Debug( 348): Received session change, event type 8, session 2
Environment
- GlobalProtect App
- Windows clients
- Windows Terminal Services (WTS)
Answer
- GlobalProtect leverages the Windows Terminal Services (WTS) that provides/tracks the user's session state changes to handle the states within the app (such as disconnect, reconnect, switch-off etc).
- "Windows Event Viewer" records these events, which can be viewed at Event Viewer > Application and Service Logs > Microsoft > Windows > TerminalServices.
- Events and hex-codes attached as follows:
| WTS_CONSOLE_CONNECT | 0x1 | A user has connected to the console session |
| WTS_CONSOLE_DISCONNECT | 0x2 | A user has disconnected from the console session |
| WTS_REMOTE_CONNECT | 0x3 | A user has connected to the remote session |
| WTS_REMOTE_DISCONNECT | 0x4 | A user has disconnected from the remote session |
| WTS_SESSION_LOGON | 0x5 | A user has logged on to the session |
| WTS_SESSION_LOGOFF | 0x6 | A user has logged off from the session |
| WTS_SESSION_LOCK | 0x7 | A session has been locked |
| WTS_SESSION_UNLOCK | 0x8 | A session has been unlocked |
| WTS_SESSION_REMOTE_CONTROL | 0x9 | A session has been remotely controlled |
| WTS_SESSION_CREATE | 0xa | A session has been created |
| WTS_SESSION_TERMINATE | 0xb | A session has been terminated. |
Additional Information
- In the example log below, "event type 5" is received on session 2, which depicts an "user logging in after entering credentials".
- the logs that follows shows the events that leads to establishing a socket and thereafter to starting of Portal Processing
(P5104-T5108)Debug( 348): 06/04/25 14:22:49:960 Received session change, event type 5, session 2
(P5104-T5108)Debug(1426): 06/04/25 14:22:49:960 Previous user count is 0
(P5104-T5108)Debug(1428): 06/04/25 14:22:49:960 First logon user.
(P5104-T5108)Debug(1482): 06/04/25 14:22:49:960 Session 2, username userX.
(P5104-T5108)Debug(1491): 06/04/25 14:22:49:960 Session 2, domain name domainX.
(P5104-T5108)Debug( 41): 06/04/25 14:22:49:960 Roaming profile is false
(P5104-T5108)Debug( 235): 06/04/25 14:22:49:991 Failed to get active PanGPA or explorer pid.
(P5104-T5108)Debug( 242): 06/04/25 14:22:51:578 get impersonate explorer pid.
(P5104-T5108)Debug( 167): 06/04/25 14:22:51:578 profileInfo username userX, profile path (null), server (null)
(P5104-T5108)Debug(4028): 06/04/25 14:22:51:593 CPanMSServiceWin::IsGpDisabledForCurUser() - bGpIsDisabled=0.
(P5104-T5108)Debug(13312): 06/04/25 14:22:51:593 IsGpDisabledForCurUser returns no
(P5104-T5108)Info (1526): 06/04/25 14:22:51:593 User domainX\userX logs in on session 2
(P5104-T6540)Info ( 202): 06/04/25 14:23:36:255 New Connection(127.0.0.1:54950) with socket(12676)
(P5104-T6540)Debug( 349): 06/04/25 14:23:36:255 Socket is connected by C:\Program Files\Palo Alto Networks\GlobalProtect\PanGPA.exe
(P5104-T6540)Debug(2590): 06/04/25 14:23:36:470 User just logs in
(P5104-T6540)Info ( 531): 06/04/25 14:23:36:470 msgtype = hello
(P5104-T6540)Debug(2001): 06/04/25 14:23:36:471 Send response to client for request hello
(P5104-T6540)Info ( 531): 06/04/25 14:23:37:017 msgtype = portal
(P5104-T6540)Debug(2679): 06/04/25 14:23:37:017 ----Portal Processing starts----
- Another example, with event type 6 on session 1, which depicts an user logging off.
- the logs that follows leads to stopping of all threads, triggering log-out from GlobalProtect Gateways
(P5104-T5108)Debug( 348): 06/03/25 22:49:09:215 Received session change, event type 6, session 1
(P5104-T5108)Info (1536): 06/03/25 22:49:09:215 User domainX\userX logs off on session 1
(P5104-T5108)Debug(4778): 06/03/25 22:49:09:215 User controlled prelogon is not enabled
(P5104-T5108)Debug(1555): 06/03/25 22:49:09:215 User logs off. ResetServer.
(P5104-T5108)Info (11302): 06/03/25 22:49:09:215 Reset server.
(P5104-T5108)Debug(7198): 06/03/25 22:49:09:215 StopThreads starts:
(P5104-T5108)Debug(7205): 06/03/25 22:49:09:215 There are 5 threads running...
(P5104-T5108)Debug(1394): 06/03/25 22:49:09:215 Logging out gateway, reason is StopThreads
(P5104-T10044)Debug(6556): 06/03/25 22:49:09:215 HipReportThread: got exit event.
(P5104-T10044)Debug(6812): 06/03/25 22:49:09:215 HipReportThread: HipReportThread quits.
(P5104-T4668)Debug(6969): 06/03/25 22:49:09:215 NetworkConnectionMonitorThread: got exit event.
(P5104-T4668)Debug(6984): 06/03/25 22:49:09:215 NetworkConnectionMonitorThread: quits.
(P5104-T13084)Debug(4744): 06/03/25 22:49:09:215 LifeTimeThread receives thread quit event
(P5104-T13084)Debug(4769): 06/03/25 22:49:09:215 LifeTimeThread quits