Home
EN
Location
Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base
>
Clear
Cloud NGFW for Azure Decryption Log Fields
Updated on
Mon Aug 11 15:12:27 PDT 2025
Focus
Download PDF
Updated on
Mon Aug 11 15:12:27 PDT 2025
Focus
Home
Cloud NGFW for Azure Administration
Monitor Cloud NGFW for Azure Resource
View Traffic and Threat Logs Natively in Azure
View the Logs in Log Analytics Workspace
Cloud NGFW for Azure Decryption Log Fields
Download PDF
Cloud NGFW for Azure
Cloud NGFW for Azure Decryption Log Fields
Table of Contents
Filter
Expand All
|
Collapse All
Cloud NGFW for Azure Docs
Getting Started
Deployment
Administration
Reference
Release Notes
Previous
Cloud NGFW for Azure Threat Log Fields
Next
View Activity Logs Natively in Azure
Cloud NGFW for Azure Decryption Log Fields
Learn about decryption log fields for your Cloud NGFW resource.
Where Can I Use This?
What Do I Need?
Cloud NGFW for Azure
Cloud NGFW subscription
Palo Alto Networks Customer Support Portal account
Azure Marketplace subscription
Field Name
Description
Source IP address (src_ip)
Original session source IP address.
Source port (sport)
Source port utilized by the session.
Destination Address (dst)
Original session destination IP address.
Destination port (dport)
Destination port utilized by the session.
IP Protocol (proto)
IP protocol associated with the session.
Application (app)
Application associated with the session.
Rule (rule)
Security policy rule that controls the session traffic.
Action (action)
Action taken for the session; possible values are:
allow—session permitted by policy
deny—session denied by policy
reset both—session terminated and a TCP reset sent to both the sides of the connection
reset client—session terminated and a TCP reset sent to the client
reset server—session terminated and a TCP reset sent to the server
TLS Version (tls_version)
The version of the TLS protocol used for the session.
Key Exchange Algorithm (tls_keyxchg)
The key exchange algorithm used for the session.
Encryption Algorithm (tls_enc)
The algorithm used to encrypt the session data, such as AES-128-CBC, AES-256-GCM, etc.
Hash Algorithm (tls_auth)
The authentication algorithm used for the session, for example, SHA, SHA256, SHA384, etc.
Elliptic Curve (ec_curve)
The elliptic cryptography curve that the client and server negotiate and use for connections that use ECDHE cipher suites.
Server Name Indication (server_name_indication)
The Server Name Indication.
Server Name Indication Length (server_name_indication_length)
The length of the Server Name Indication (hostname).
Proxy Type (proxy_type)
The decryption proxy type, such as Forward for Forward Proxy, Inbound for Inbound Inspection, No decrypt for undecrypted traffic, GlobalProtect™, etc.
Selecting
No Decrypt
, rather than
None
, causes traffic to drop.
Chain Status (chain_status)
Whether the chain is trusted. Values are:
Uninspected
Untrusted
Trusted
Incomplete
Previous
Cloud NGFW for Azure Threat Log Fields
Next
View Activity Logs Natively in Azure