>
    Cloud NGFW for Azure Decryption Log Fields
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Administration
    3. Monitor Cloud NGFW for Azure Resource
    4. View Traffic and Threat Logs Natively in Azure
    5. View the Logs in Log Analytics Workspace
    6. Cloud NGFW for Azure Decryption Log Fields
    Download PDF
    Cloud NGFW for Azure

    Cloud NGFW for Azure Decryption Log Fields

    Table of Contents

    Cloud NGFW for Azure Decryption Log Fields

    Learn about decryption log fields for your Cloud NGFW resource.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Portal account
    • Azure Marketplace subscription
    Field Name
    Description
    Source IP address (src_ip)
    Original session source IP address.
    Source port (sport)
    Source port utilized by the session.
    Destination Address (dst)
    Original session destination IP address.
    Destination port (dport)
    Destination port utilized by the session.
    IP Protocol (proto)
    IP protocol associated with the session.
    Application (app)
    Application associated with the session.
    Rule (rule)
    Security policy rule that controls the session traffic.
    Action (action)
    Action taken for the session; possible values are:
    • allow—session permitted by policy
    • deny—session denied by policy
    • reset both—session terminated and a TCP reset sent to both the sides of the connection
    • reset client—session terminated and a TCP reset sent to the client
    • reset server—session terminated and a TCP reset sent to the server
    TLS Version (tls_version)
    The version of the TLS protocol used for the session.
    Key Exchange Algorithm (tls_keyxchg)
    The key exchange algorithm used for the session.
    Encryption Algorithm (tls_enc)
    The algorithm used to encrypt the session data, such as AES-128-CBC, AES-256-GCM, etc.
    Hash Algorithm (tls_auth)
    The authentication algorithm used for the session, for example, SHA, SHA256, SHA384, etc.
    Elliptic Curve (ec_curve)
    The elliptic cryptography curve that the client and server negotiate and use for connections that use ECDHE cipher suites.
    Server Name Indication (server_name_indication)The Server Name Indication.
    Server Name Indication Length (server_name_indication_length)
    The length of the Server Name Indication (hostname).
    Proxy Type (proxy_type)
    The decryption proxy type, such as Forward for Forward Proxy, Inbound for Inbound Inspection, No decrypt for undecrypted traffic, GlobalProtect™, etc.
    Selecting No Decrypt, rather than None, causes traffic to drop.
    Chain Status (chain_status)
    Whether the chain is trusted. Values are:
    • Uninspected
    • Untrusted
    • Trusted
    • Incomplete

    © 2025 Palo Alto Networks, Inc. All rights reserved.