>
    Cloud NGFW for Azure Traffic Log Fields
    Focus
    Download PDF
    Focus
    1. Home
    2. Cloud NGFW for Azure Administration
    3. Monitor Cloud NGFW for Azure Resource
    4. View Traffic and Threat Logs Natively in Azure
    5. View the Logs in Log Analytics Workspace
    6. Cloud NGFW for Azure Traffic Log Fields
    Download PDF
    Cloud NGFW for Azure

    Cloud NGFW for Azure Traffic Log Fields

    Table of Contents

    Cloud NGFW for Azure Traffic Log Fields

    Learn about Traffic log fields for your Cloud NGFW for Azure resource.
    Where Can I Use This?What Do I Need?
    • Cloud NGFW for Azure
    • Cloud NGFW subscription
    • Palo Alto Networks Customer Support Portal account
    • Azure Marketplace subscription
    Field Name
    Description
    Source Address (src_ip)
    Original session source IP address.
    Source port (sport)
    Source port utilized by the session.
    Destination Address (dst)
    Original session destination IP address.
    Destination port (dport)
    Destination port utilized by the session.
    IP Protocol (proto)
    IP protocol associated with the session.
    Application (app)
    Application associated with the session.
    Rule Name (rule)
    Name of the rule that the session matched.
    Action (action)
    Action taken for the session; possible values are:
    • allow—session permitted by policy
    • deny—session permitted by policy
    • reset both—session terminated and a TCP reset is sent to both the sides of the connection
    • reset client—session was terminated and a TCP reset is sent to the client
    • reset server—session terminated and a TCP reset is sent to the server
    Bytes Received (bytes_received)
    Number of bytes in the server-to-client direction of the session.
    Bytes Sent (bytes_sent)
    Number of bytes in the client-to-server direction of the session.
    Packets Received (pkts_received)
    Number of server-to-client packets for the session.
    Packets Sent (pkts_sent)
    Number of client-to-server packets for the session.
    Start Time (start)
    Time of session start.
    Elapsed Time (elapsed)
    Elapsed time of the session.
    Repeat Count (repeatcnt)
    Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
    Category (category)
    URL category associated with the session (if applicable).
    Source Country (srcloc)
    Source country or Internal region for private addresses; maximum length is 32 bytes.
    Destination Country (dstloc)
    Destination country or Internal region for private addresses. The maximum length is 32 bytes.
    Session End Reason (session_end_reason)
    The reason is a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest):
    • threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action.
    • policy-deny—The session matched a security rule with a deny or drop action.
    • decrypt-cert-validation—The session terminated because you configured the firewall to block when the session uses client authentication or when the session uses a server certificate with any of the following conditions: expired, untrusted issuer, unknown status, or status verification timeout. This session end reason also displays when the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED (SSLv3 only).
    • decrypt-unsupport-param—The session terminated because you configured the firewall to block SSL Forward Proxy decryption or SSL Inbound Inspection when the session uses an unsupported protocol version, cipher, or SSH algorithm. This session end reason is displayed when the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.
    • decrypt-error—The session terminated because you configured the firewall to block SSL Forward Proxy decryption or SSL Inbound Inspection when firewall resources were unavailable. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSL errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupport-param end reasons.
    • tcp-rst-from-client—The client sent a TCP reset to the server.
    • tcp-rst-from-server—The server sent a TCP reset to the client.
    • resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue.
    • tcp-fin—Both hosts in the connection sent a TCP FIN message to close the session.
    • tcp-reuse—A session is reused and the firewall closes the previous session.
    • decoder—The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection.
    • aged-out—The session aged out.
    • n/a—This value applies when the Traffic log type isn’t end.
    XFF Address (xff)
    The IP address of the user who requested the webpage or the IP address of the next to the last device that the request traversed. If the request goes through one or more proxies, load balancers, or other upstream devices, the firewall displays the IP address of the most recent device.

    © 2025 Palo Alto Networks, Inc. All rights reserved.