Skip to content
KYRA MDR KYRA MDR Docs

Palo Alto GlobalProtect Integration

Overview

Palo Alto GlobalProtect provides secure remote access VPN with HIP checking. KYRA MDR collects GlobalProtect logs through PAN-OS syslog. Supports GlobalProtect 5.x and 6.x.

Prerequisites

  • A KYRA MDR Collector installed and running
  • Palo Alto NGFW configured as GlobalProtect gateway/portal
  • Syslog configured on the NGFW
  • GlobalProtect gateway and portal configured

Configuration

GlobalProtect events are forwarded through PAN-OS syslog:

  1. Ensure syslog is configured (see Palo Alto NGFW integration)
  2. Configure log forwarding under Objects > Log Forwarding:
Log TypeForwarding
SystemKYRA-MDR syslog profile
AuthenticationKYRA-MDR syslog profile
GlobalProtectKYRA-MDR syslog profile
HIP MatchKYRA-MDR syslog profile
  1. Apply the log forwarding profile to security policies
  2. Commit the configuration

PAN-OS CLI Configuration

You can configure syslog forwarding and log profiles directly from the PAN-OS CLI:

Terminal window
# Configure a syslog server profile
set shared log-settings syslog kyra-mdr-syslog server kyra-collector \
  server <COLLECTOR_IP> \
  transport TCP \
  port 514 \
  format BSD \
  facility LOG_USER


# Create a log forwarding profile
set shared log-settings profiles kyra-gp-profile \
  match-list gp-auth-logs \
    log-type auth \
    send-syslog kyra-mdr-syslog \
    filter "All Logs"


set shared log-settings profiles kyra-gp-profile \
  match-list gp-system-logs \
    log-type system \
    send-syslog kyra-mdr-syslog \
    filter "All Logs"


set shared log-settings profiles kyra-gp-profile \
  match-list gp-globalprotect-logs \
    log-type globalprotect \
    send-syslog kyra-mdr-syslog \
    filter "All Logs"


set shared log-settings profiles kyra-gp-profile \
  match-list gp-hipmatch-logs \
    log-type hipmatch \
    send-syslog kyra-mdr-syslog \
    filter "All Logs"


# Apply the profile to a security policy rule
set rulebase security rules allow-vpn-traffic \
  log-setting kyra-gp-profile


# Commit the configuration
commit

Verify Log Forwarding

Terminal window
# Show syslog server profile
show log-settings syslog


# Show log forwarding profile
show log-settings profiles


# On the KYRA Collector, verify incoming GlobalProtect logs
sudo tcpdump -i any port 514 -A | grep -i "globalprotect"

Collected Log Types

Log TypeDescriptionSecurity Use
GlobalProtect LoginVPN authentication eventsAccess monitoring
GlobalProtect LogoutVPN disconnection eventsSession tracking
HIP CheckHost information profile resultsEndpoint compliance
Gateway SelectionGateway assignment eventsLoad balancing monitoring
Config SyncPortal-gateway config syncConfiguration integrity
SatelliteGlobalProtect satellite eventsSite-to-site VPN monitoring

Troubleshooting

No GlobalProtect logs: Verify the log forwarding profile includes the GlobalProtect log type.

Missing HIP data: HIP Match logs require HIP profiles configured and assigned to policies.

Multi-gateway: Each gateway generates independent logs. Configure syslog on all gateways.

Contact kyra@seekerslab.com for support.