Cloud NGFW for AWS Traffic Log Fields
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Configure Zone-based Policy Rules
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Cloud NGFW for AWS Traffic Log Fields
Learn the meaning of each Cloud NGFW for AWS traffic
log fields.
The following table describes the Cloud NGFW for AWS traffic log fields:
Field Name | Description |
---|---|
Generated Time (time_generated or cef-formatted-time_generated) | Time the log was generated on the dataplane. |
Source Address (src_ip) | Original session source IP address. |
Source Port (sport) | Source port utilized by the session. |
Session ID (sessionid) | An internal numerical identifier applied
to each session. |
Destination Address (dst_ip) | Original session destination IP address. |
Destination Port (dport) | Destination port utilized by the session. |
IP Protocol (proto) | IP protocol associated with the session. |
Application (app) | Application associated with the session. |
Rule Name (rule) | Name of the rule that the session matched. |
Action (action) | Action taken for the session; possible values
are:
|
Bytes Received (bytes_recv) | Number of bytes in the server-to-client
direction of the session. |
Bytes Sent (bytes_sent) | Number of bytes in the client-to-server
direction of the session. |
Packets Received (pkts_received) | Number of server-to-client packets for the
session. |
Packets Sent (pkts_sent) | Number of client-to-server packets for the
session. |
Start Time (start_time) | Time of session start and disk use. |
Elapsed Time (elapsed_time) | Elapsed time of the session. |
Repeat Count (repeat_count) | Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within
5 seconds. |
Category (category) | URL category associated with the session
(if applicable). |
Source Country (src country) | Source country or Internal region for private
addresses; maximum length is 32 bytes. |
Destination Country (dst country) | Destination country or Internal region for
private addresses. Maximum length is 32 bytes. |
Session End Reason (session_end_reason) | The reason a session terminated. If the
termination had multiple causes, this field displays only the highest
priority reason. The possible session end reason values are as follows,
in order of priority (where the first is highest):
|
XFF Address (xff_ip) | The IP address of the user who requested
the web page or the IP address of the next to last device that the
request traversed. If the request goes through one or more proxies, load
balancers, or other upstream devices, the firewall displays the
IP address of the most recent device. |