Cloud NGFW for AWS
    : Cloud NGFW for AWS Traffic Log Fields
    Focus
    Download PDF
    Focus
    1. Home
    2. AWS
    3. Cloud NGFW for AWS
    4. Cloud NGFW Resource and NGFW Endpoints
    5. Configure Logging for Cloud NGFW on AWS
    6. Cloud NGFW for AWS Traffic Log Fields
    Download PDF

    Cloud NGFW for AWS

    Cloud NGFW for AWS Traffic Log Fields

    Table of Contents

    Cloud NGFW for AWS Traffic Log Fields

    Learn the meaning of each Cloud NGFW for AWS traffic log fields.
    The following table describes the Cloud NGFW for AWS traffic log fields:
    Field Name
    Description
    Generated Time (time_generated or cef-formatted-time_generated)
    Time the log was generated on the dataplane.
    Source Address (src_ip)
    Original session source IP address.
    Source Port (sport)
    Source port utilized by the session.
    Session ID (sessionid)
    An internal numerical identifier applied to each session.
    Destination Address (dst_ip)
    Original session destination IP address.
    Destination Port (dport)
    Destination port utilized by the session.
    IP Protocol (proto)
    IP protocol associated with the session.
    Application (app)
    Application associated with the session.
    Rule Name (rule)
    Name of the rule that the session matched.
    Action (action)
    Action taken for the session; possible values are:
    • allow—session was allowed by policy
    • deny—session was denied by policy
    • reset both—session was terminated and a TCP reset is sent to both the sides of the connection
    • reset client—session was terminated and a TCP reset is sent to the client
    • reset server—session was terminated and a TCP reset is sent to the server
    Bytes Received (bytes_recv)
    Number of bytes in the server-to-client direction of the session.
    Bytes Sent (bytes_sent)
    Number of bytes in the client-to-server direction of the session.
    Packets Received (pkts_received)
    Number of server-to-client packets for the session.
    Packets Sent (pkts_sent)
    Number of client-to-server packets for the session.
    Start Time (start_time)
    Time of session start and disk use.
    Elapsed Time (elapsed_time)
    Elapsed time of the session.
    Repeat Count (repeat_count)
    Number of sessions with the same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
    Category (category)
    URL category associated with the session (if applicable).
    Source Country (src country)
    Source country or Internal region for private addresses; maximum length is 32 bytes.
    Destination Country (dst country)
    Destination country or Internal region for private addresses. Maximum length is 32 bytes.
    Session End Reason (session_end_reason)
    The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest):
    • threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action.
    • policy-deny—The session matched a security rule with a deny or drop action.
    • decrypt-cert-validation—The session terminated because you configured the firewall to block when the session uses client authentication or when the session uses a server certificate with any of the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. This session end reason also displays when the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED (SSLv3 only).
    • decrypt-unsupport-param—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses an unsupported protocol version, cipher, or SSH algorithm. This session end reason is displays when the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.
    • decrypt-error—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when firewall resources were unavailable. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSL errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupport-param end reasons.
    • tcp-rst-from-client—The client sent a TCP reset to the server.
    • tcp-rst-from-server—The server sent a TCP reset to the client.
    • resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue.
    • tcp-fin—Both hosts in the connection sent a TCP FIN message to close the session.
    • tcp-reuse—A session is reused and the firewall closes the previous session.
    • decoder—The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection.
    • aged-out—The session aged out.
    • n/a—This value applies when the traffic log type is not end.
    XFF Address (xff_ip)
    The IP address of the user who requested the web page or the IP address of the next to last device that the request traversed. If the request goes through one or more proxies, load balancers, or other upstream devices, the firewall displays the IP address of the most recent device.

    © 2024 Palo Alto Networks, Inc. All rights reserved.