PA – How to get listing of GlobalProtect users

To create an exportable report for previous logged in users, in monitor/logs/system logs and filter on:

(eventid eq globalprotectportal-config-succ) and (receive_time in last-calendar-month)

In order to collect info about login/logout user information, we need to pull reports from system log.

to collect activity report for particular global-protect user set the filter as
( subtype eq globalprotect ) and ( description contains ‘Name of the user’ )

to view only login info, add additional filter ( description contains ‘user login’)
Similar for user logout, use ‘user logout’

From CLI:
>show global-protect-gateway current-user
for ESP = GP is using IPSec; for SSL = GP is using SSL

>show global-protect-gateway previous-user

or for particular username:
>show global-protect-gateway current-user gateway “gatewayName”
>show global-protect-gateway previous-user gateway “gatewayName”

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Run-a-Report-for-Previous-Logged-in-GlobalProtect-Users/ta-p/52846

 

Advertisements