All Apps and Add-ons

PaloAlto Networks Datamodel issues with GlobalProtect

bseppanen1
Engager

We are currently running the latest PaloAlto Add On and App version 6.5.

With an update from PanOS 9.0 to 9.1 the logging in the palo alto firewalls specific to the  globalprotect VPN has changed.    the App/AddOn data model acceleration refers to data in  system->globalprotect.    the globalprotect logging is no longer a subset of the system logging.     None of the apps for categorizing VPN logins:   RWI - Executive Dashboard, PaloAlto Networks App will properly display VPN data.   Data that used to be available is no longer visible without digging and trying to set up the query each time, because the update to the logging has changed so significantly.

I've attempted to rebuild one report.   If I refer to nodename as simply "log" I can extract the data, but I get an error in the dashboard that it also is creating events.   the error being that a post-process search cannot contain a generating command.

| tstats summariesonly=t latest(log.event_id) AS latest_event, values(log.agent_message) AS log.agent_message, values(log.src_ip) AS log.src_ip count FROM datamodel="pan_firewall" WHERE nodename="log.globalprotect" """" groupby _time log.event_id log.user
| rename log.* as * | where event_id="gateway-register" OR event_id="gateway-logout" | search latest_event="gateway-register" | stats count(count) by user | table user

 

| tstats summariesonly=t latest(log.event_id) AS latest_event, values(log.agent_message) AS log.agent_message, values(log.src_ip) AS log.src_ip count FROM datamodel="pan_firewall" WHERE nodename="log.system.globalprotect" """" groupby _time log.event_id log.user
| rename log.* as * | where event_id="globalprotectgateway-regist-succ" OR event_id="globalprotectgateway-logout-succ" | search latest_event="globalprotectgateway-regist-succ" | stats count(count) by user | table user

So it is a known issue that the upgrade breaks globalprotect logging, and the support documents don't refer any longer to globalprotect logging.

Will there be any attempt to allow those people running a recent version of PanOS and globalprotect to make use of dashboards that categorize VPN logins appropriate to CIM4?       This has apparently been a known issue for some time.

It's close to a year since https://community.splunk.com/t5/All-Apps-and-Add-ons/PAN-OS-9-1-1-Breaks-Data-Model/m-p/494113

 

Labels (2)
0 Karma