https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496099#M11327 <P>With everyone working remotely nowadays, does anyone want to share their content on what a good PAN Global Protect dashboard could look like? <BR />I know there's the Palo Alto Networks app that relies on the PAN data model, for those of us that don't use that app:<BR />What panels do you like to have on your dashboard? <BR />What's your favorite visualization for VPN connections? <BR />Does anyone have some good SPL around duration time and data transferred during a session?</P> <P>Just so it doesn't seem like I'm asking someone to build me a dashboard. <BR />My panels contain "Total number of users connected today", "Number of users connect to each gateway", " Number of users per department connected to VPN"</P> <P>Also, when is Palo Alto going to parse out the whole VPN event (OS, host, etc) that they dump into the system logs?</P> <P>Thanks in advance.</P> Sun, 07 Jun 2020 17:18:26 GMT TheSplunkDude 2020-06-07T17:18:26Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496099#M11327 <P>With everyone working remotely nowadays, does anyone want to share their content on what a good PAN Global Protect dashboard could look like? <BR />I know there's the Palo Alto Networks app that relies on the PAN data model, for those of us that don't use that app:<BR />What panels do you like to have on your dashboard? <BR />What's your favorite visualization for VPN connections? <BR />Does anyone have some good SPL around duration time and data transferred during a session?</P> <P>Just so it doesn't seem like I'm asking someone to build me a dashboard. <BR />My panels contain "Total number of users connected today", "Number of users connect to each gateway", " Number of users per department connected to VPN"</P> <P>Also, when is Palo Alto going to parse out the whole VPN event (OS, host, etc) that they dump into the system logs?</P> <P>Thanks in advance.</P> Sun, 07 Jun 2020 17:18:26 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496099#M11327 TheSplunkDude 2020-06-07T17:18:26Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496100#M11328 <P>Yes! this is exactly what I am struggling with.. I am trying to build something but so far no luck...</P> Tue, 17 Mar 2020 13:49:21 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496100#M11328 pastorlibre 2020-03-17T13:49:21Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496101#M11329 <P>My team has actually been working on this. Not sure if anyone has made progress. We could probably share what we have thrown together. One issue we ran into is we are running PanOS 7.1, 8.1 and 9.1. And 9.1 hosts some of our VPN Gateways. PanOS 9, introduced new Global Protect logging that the Splunk Palo app; doesn't extract. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 23 Apr 2020 15:10:20 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496101#M11329 mikesaia 2020-04-23T15:10:20Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496102#M11330 <P>If you could share anything that would be awesome.. We built something but it's not really the most ideal as it is a rolling 12 hour number and not really current</P> Thu, 23 Apr 2020 17:12:55 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496102#M11330 pastorlibre 2020-04-23T17:12:55Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496103#M11331 <P>I'd be keen on seeing what you have as well, and contributing to its development.<BR /> I have actually started looking into changing the GP VPN dash (VPN Ops) in this app to display what it already has, but without the underlying data model that it uses from the Palo App. <BR /> Remote Work Insights. <A href="https://splunkbase.splunk.com/app/4952/+">https://splunkbase.splunk.com/app/4952/</A> </P> Thu, 23 Apr 2020 22:28:30 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496103#M11331 markhill1 2020-04-23T22:28:30Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496104#M11332 <P>If there are any snippets you can share, I'd be grateful. The one thing I haven't sorted out yet is how to create a "duration" report so my boss can see how long people are connecting for. I'm a one man Splunker in a small gov entity so I just haven't the time to really dig into building my own searches like this.</P> Thu, 30 Apr 2020 17:35:49 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496104#M11332 dking8921 2020-04-30T17:35:49Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496105#M11333 <P>Not a dashboard but here is something that I am running. Basically if they are on vpn and have an entry I give them credit for an hour. Then I pass that along to AD to get some information like department based on Ad info. Nice way to see who really is on vpn or not</P> <P>index="paloalto" src_zone=globalprotect action=success | eval hour_min=strftime(_time, "%D %H:00") | table hour_min , user, dvc_name src_ip | eval user=mvindex(split(user,"\"),-1) | rename hour_min as Time dvc_name as "Palo Alto Device" src_ip as vpn_ip | dedup user, Time|ldapfilter domain=default search="(sAMAccountNAme=$user$)" attrs="displayName,StreetAddress,Department,name" | table Time, "Palo Alto Device", vpn_ip, displayName, department, streetAddress, user , name,</P> Wed, 30 Sep 2020 05:19:51 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496105#M11333 elhugohefner 2020-09-30T05:19:51Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496106#M11334 <P>I tried running this command (with my correct index) and I just get zero matches no matter the length of time I put in. I have the LDAP add on and the Palo Alto App, is there anything else I need to do to use this? Thanks for sharing.</P> <P>Is this using the new GlobalProtect categories on 9.1.x? I didn't upgrade to that yet, maybe that's why.</P> Thu, 07 May 2020 20:49:09 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496106#M11334 dking8921 2020-05-07T20:49:09Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496107#M11335 <P>Check where the ldapfilter domain has your correct configuration in the ldap config on your search head. <BR /> |ldapfilter domain=(yourdefined connector)</P> <P>Here is the link to get you the info to put in after the = </P> <P><A href="https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.1/User/ConfiguretheSplunkSupportingAdd-onforActiveDirectory">https://docs.splunk.com/Documentation/SA-LdapSearch/3.0.1/User/ConfiguretheSplunkSupportingAdd-onforActiveDirectory</A></P> Thu, 07 May 2020 22:33:48 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496107#M11335 elhugohefner 2020-05-07T22:33:48Z https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496108#M11336 <P><CODE>sAMAccountName</CODE> is correct.<BR /> typo?</P> <P>please check line by line.</P> Thu, 07 May 2020 23:26:12 GMT https://community.splunk.com/t5/Security/Palo-Alto-Globalprotect-VPN-Dashboards/m-p/496108#M11336 to4kawa 2020-05-07T23:26:12Z