Palo Alto Next-Gen Firewall compatibility with Global Protect VPN Client

Good day all!

I'm looking for confirmation on the features of the Palo Alto Next-Gen Firewall integration with elastic. On the overview page of the integration, it details support of the Global Protect type of message.

Does this mean that it is able to get logs from the actual on computer clients or does this mean something else? We are looking to be able to pull logs from the VPN client ON the machine of the end user.


You can use Elasti agent, which is described here.

If you prefer LS, then you can use the syslog input plugin, and parse with JSON, CEF codec, KV plugin depends in which format a device will send.

In general LS, do not detect source, it just transform data how we set in a .conf file.

It means that it can parse the logs with the Global Protect format, to get the logs from the Client on every machine you would need to install the Agent also on every machine.

1 Like


When a user connects to the VPN, the firewall generates logs that contain information about the user, the IP address they were assigned, the time they connected and disconnected, and other details. These logs can be forwarded to Elastic for analysis.

However, if you're looking to collect logs directly from the VPN client on the end user's machine, this would require a different approach. You would need to configure the client to generate logs, and then use a log shipper like Filebeat to send these logs to Elastic.


1 Like

LS has an option called the persistent queue and FB has also option the internal queue on the disk.

I don't think ES or LS can detect the active agent and pull data. LS is listening mode and forward data to ES or other destination. What I see as a solution here is FB/EA on VPN client side with buffering on disk, keeping FB active and trying to reconnect. When the connection is established with ES or LS, FB will deliver logs. LS is little bit heavy and complex to install on the VPN clients, I would avoid. Maybe someone else had the experience with this scenario, really would like to hear from 1st hand.

So, we do deploy the client on all machines that have the VPN so that is covered. From some of the other posts it sounds like that integration does something like what we are looking for if the VPN client than forwards the logs to the firewall and then us.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.