Palo Alto GlobalProtect VPN
Palo Alto Networks GlobalProtect VPN log events covering the full remote access lifecycle — portal prelogin, LDAP/SAML/certificate authentication, gateway configuration, IPSec tunnel establishment, HIP compliance checks, latency monitoring, and session logout.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/vpn-paloalto-globalprotect/generator.yml \
--id vpn-paloalto-globalprotect \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| portal-prelogin | Portal SSL handshake and auth method discovery | ~9.1% | network |
| portal-auth | User authenticates to GlobalProtect portal (LDAP/SAML/Certificate/RADIUS) | ~9.1% | authentication |
| portal-getconfig | Client retrieves portal configuration and gateway list | ~9.1% | configuration |
| gateway-auth | User authenticates to VPN gateway | ~12% | authentication |
| gateway-auth-failure | Failed gateway authentication attempt | ~3% | authentication |
| gateway-getconfig | Client retrieves gateway VPN configuration | ~9.1% | configuration |
| gateway-setup-ipsec | IPSec tunnel establishment between client and gateway | ~9.1% | network |
| gateway-hip-check | Host Information Profile compliance check | ~12% | security |
| gateway-tunnel-latency | Periodic pre/post-tunnel latency measurement | ~12% | network |
| gateway-config-release | Gateway pushes configuration to connected client | ~6.5% | configuration |
| gateway-logout | VPN session termination with duration tracking | ~9% | network |
Realism Features
- Weighted authentication methods (LDAP 50%, SAML 30%, Certificate 15%, RADIUS 5%)
- Correlated device fields (hostname, host ID, serial, MAC, OS platform)
- Exponential session duration distribution (mean ~4 hours)
- Gaussian latency distributions for tunnel measurements
- Multiple gateway locations with priority-based selection
- Connect method distribution (pre-logon, user-logon, on-demand, manual)
Sample Output
{
"@timestamp": "2026-03-06T09:14:32.000000+00:00",
"event": {
"action": "globalprotect-gateway-auth",
"category": ["authentication", "network"],
"dataset": "panw.globalprotect",
"outcome": "success",
"type": ["start"]
},
"source": {
"ip": "198.51.100.87",
"user": { "name": "jdoe", "domain": "corp.example.com" }
},
"observer": {
"hostname": "PA-GP-01",
"serial_number": "012345678901",
"product": "PAN-OS",
"type": "firewall",
"vendor": "Palo Alto Networks"
},
"paloalto": {
"globalprotect": {
"virtual_sys": "vsys1",
"auth_method": "LDAP",
"client_os": "Windows",
"client_version": "6.2.1",
"connect_method": "user-logon",
"gateway": "gw-us-east-1"
}
}
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | PA-GP-01 | Firewall hostname |
| serial_number | 012345678901 | Firewall serial number |
| domain | corp.example.com | Corporate domain |
| virtual_sys | vsys1 | Virtual system name |
| agent_id | a1b2c3d4-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Nginx Access & Error Logs
Nginx reverse proxy and web server — access logs with upstream timing, error logs with module context, bot/crawler traffic, scanner probes, and correlated 4xx/5xx error entries.
Apache HTTP Server
Apache httpd access and error logs — page/asset/API requests, bot crawlers (Googlebot, GPTBot), scanner probes, 3xx redirects, and correlated 4xx/5xx error log entries with module context.
Cisco AnyConnect VPN
Cisco ASA AnyConnect SSL VPN — session lifecycle from RADIUS authentication through tunnel establishment, IP assignment, DAP policy evaluation, session roaming between gateways, to graceful disconnection.