Cloud NGFW for AWS Decryption Log Fields

Field Name
Description
Source IP Address (src_ip)
Original session source IP address.
Source Port (sport)
Source port utilized by the session.
Destination Address (dst)
Original session destination IP address.
Destination Port (dport)
Destination port utilized by the session.
IP Protocol (proto)
IP protocol associated with the session.
Application (app)
Application associated with the session.
Rule (rule)
Security policy rule that controls the session traffic.
Action (action)
Action taken for the session; possible values are:
  • allow—session was allowed by policy
  • deny—session was denied by policy
  • reset both—session was terminated and a TCP reset is sent to both the sides of the connection
  • reset client—session was terminated and a TCP reset is sent to the client
  • reset server—session was terminated and a TCP reset is sent to the server
TLS Version (tls_version)
The version of TLS protocol used for the session.
Key Exchange Algorithm (tls_keyxchg)
The key exchange algorithm used for the session.
Encryption Algorithm (tls_enc)
The algorithm used to encrypt the session data, such as AES-128-CBC, AES-256-GCM, etc.
Hash Algorithm (tls_auth)
The authentication algorithm used for the session, for example, SHA, SHA256, SHA384, etc.
Elliptic Curve (ec_curve)
The elliptic cryptography curve that the client and server negotiate and use for connections that use ECDHE cipher suites.
Server Name Indication (server_name_indication)
The Server Name Indication.
Server Name Indication Length (server_name_indication_length)
The length of the Server Name Indication (hostname).
Proxy Type (proxy_type)
The Decryption proxy type, such as Forward for Forward Proxy, Inbound for Inbound Inspection, No Decrypt for undecrypted traffic, GlobalProtect, etc.
Chain Status (chain_status)
Whether the chain is trusted. Values are:
  • Uninspected
  • Untrusted
  • Trusted
  • Incomplete

Recommended For You