Home
EN
Location
Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base
>
Clear
Cloud NGFW for AWS Decryption Log Fields
Updated on
Thu Dec 19 18:19:59 UTC 2024
Focus
Download PDF
Updated on
Thu Dec 19 18:19:59 UTC 2024
Focus
Home
Cloud NGFW for AWS
Monitor
View Logs Natively in AWS
Cloud NGFW for AWS Decryption Log Fields
Download PDF
Cloud NGFW for AWS
Cloud NGFW for AWS Decryption Log Fields
Table of Contents
Filter
Expand All
|
Collapse All
Cloud NGFW for AWS Docs
Getting Started
Deployment
Administration
Reference
Release Notes
Previous
Cloud NGFW for AWS Threat Log Fields
Next
View Traffic and Threat Logs and Activity in Panorama
Cloud NGFW for AWS Decryption Log Fields
Learn the meaning of each Cloud NGFW for AWS decryption log fields.
Where Can I Use This?
What Do I Need?
Cloud NGFW for AWS
Cloud NGFW subscription
Palo Alto Networks Customer Support Account (CSP)
AWS Marketplace account
User role (either tenant or administrator)
The following table contains information about decryption log fields:
Field Name
Description
Generated Time (time_generated or cef-formatted-time_generated)
Time the log was generated on the dataplane.
Source IP address (src_ip)
Original session source IP address.
Source port (sport)
Source port utilized by the session.
Session ID (sessionid)
An internal numerical identifier is applied to each session.
Destination Address (dst_ip)
Original session destination IP address.
Destination port (dport)
Destination port utilized by the session.
IP Protocol (proto)
IP protocol associated with the session.
Application (app)
Application associated with the session.
Rule (rule)
Security policy rule that controls the session traffic.
Action (action)
Action taken for the session; possible values are:
allow—session was allowed by policy
deny—session was denied by policy
reset both—session was terminated and a TCP reset is sent to both the sides of the connection
reset client—session was terminated and a TCP reset is sent to the client
reset server—session was terminated and a TCP reset is sent to the server
TLS Version (tls_version)
The version of the TLS protocol used for the session.
Key Exchange Algorithm (key_exchange_algorithm)
The key exchange algorithm used for the session.
Encryption Algorithm (tls_enc)
The algorithm used to encrypt the session data, such as AES-128-CBC, AES-256-GCM, etc.
Hash Algorithm (hash_algorithm)
The authentication algorithm used for the session, for example, SHA, SHA256, SHA384, etc.
Elliptic Curve (elliptic_curve)
The elliptic cryptography curve that the client and server negotiate and use for connections that use ECDHE cipher suites.
Server Name Indication (server_name_indication)
The Server Name Indication.
Server Name Indication Length (server_name_indication_length)
The length of the Server Name Indication (hostname).
Proxy Type (proxy_type)
The decryption proxy types, such as Forward for Forward Proxy, Inbound for Inbound Inspection, No decrypt for undecrypted traffic, GlobalProtect, etc.
Chain Status (chain_status)
Whether the chain is trusted. Values are:
Uninspected
Untrusted
Trusted
Incomplete
Previous
Cloud NGFW for AWS Threat Log Fields
Next
View Traffic and Threat Logs and Activity in Panorama
