Palo Alto Networks latest software update, known as PAN-OS 9.1, has officially changed the log format for VPN/GlobalProtect logs. This switch has resulted in Splunk users experiening problems with populating their data for VPN/GlobalProtect related dashboards.
Palo Alto Networks Log Format Comparison for Splunk
9.0 Log Format
● Previously, GlobalProtect data was present in the pan:system sourcetype and globalprotect log_subtype
9.1 Log Format
● GlobalProtect data is present in the pan:globalprotect sourcetype and it contains multiple log_subtype values such as: login, configuration, connected, etc. We’ll be using the login log_subtype value for building the VPN dashboard.
The latest PAN-OS 9.1 update is a breaking update for GlobalProtect. We’ve received this news from several Splunk users as they’re dismissing the VPN dashboards from the Remote Work Insights – Executive Dashboard app for Splunk because of it.
The RWI app currently has two dashboards that are focused on VPN activity:
● VPN Ops
● Global Protect VPN Login Activities
The Global Protect VPN Login Activities dashboard has stopped functioning with the recent modification from Palo Alto and it displays “No results found” on all of its dashboard panels.
The VPN Ops dashboard appears to be working, but it isn’t displaying the correct data.
As you can see from the screenshot below, it shows successful logins from Netherlands, which can’t be true for our Splunk environment, since we have a policy configured on Palo Alto to only allow connections from the United States and Mexico.
We’ve updated the VPN dashboard for the Cyences App, which will display the correct VPN data and this can be verified from the Palo Alto side. The screenshot below shows logins from the United States and Mexico only.
The new VPN dashboard for Cyences will be released with the 1.2.0 version update. Download the Cyences app for Splunk here.