Traffic logs contain entries for the end of each network session, as well as (optionally) the start of a network session. A network session can contain multiple messages sent and received by two communicating endpoints.
Whether traffic logs are written at the start of a session is configurable by the next-generation firewall's administrator. However, firewalls are rarely configured to log session starts because of the volume of logs resulting from this configuration. Session-start logs are usually written multiple times during the course of the session — most frequently whenever the firewall must examine its policies to see if it can allow the session to continue.
Palo Alto Networks next-generation firewalls write various log records when appropriate during the course of a network session. However, session resource totals such as bytes sent and received are unknown until the session is finished. Traffic logs contain these resource totals because they are always the last log written for a session.
See the following for information related to supported log formats:
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in category_of_app.
CEF field name: PanOSApplicationSubcategory
EMAIL field name: ApplicationSubcategory
HTTPS field name: ApplicationSubcategory
LEEF field name: ApplicationSubcategory
(CORTEX DATA LAKE TENANT ID)
(DESTINATION DEVICE CATEGORY)
(DESTINATION DEVICE HOST)
(DESTINATION DEVICE MODEL)
(DESTINATION DEVICE OS FAMILY)
(DESTINATION DEVICE OS VERSION)
(DESTINATION DEVICE PROFILE)
(DESTINATION DEVICE VENDOR)
(DESTINATION DYNAMIC ADDRESS GROUP)
The dynamic address group that Device-ID identifies as the destination for the traffic.
CEF field name: PanOSDestinationDynamicAddressGroup
EMAIL field name: DestinationDynamicAddressGroup
HTTPS field name: DestinationDynamicAddressGroup
LEEF field name: DestinationDynamicAddressGroup
(DG HIERARCHY LEVEL 1)
(DG HIERARCHY LEVEL 2)
(DG HIERARCHY LEVEL 3)
(DG HIERARCHY LEVEL 4)
(DYNAMIC USER GROUP NAME)
(ENDPOINT SERIAL NUMBER)
(ENDPOINT ASSOCIATION ID)
(INBOUND INTERFACE DETAILS PORT)
(INBOUND INTERFACE DETAILS SLOT)
(INBOUND INTERFACE DETAILS TYPE)
(IS DUPLICATE LOG)
(IS PRISMA USERS)
(NON STANDARD DESTINATION PORT)
(NSSAI NETWORK SLICE DIFFERENTIATOR)
(OUTBOUND INTERFACE DETAILS PORT)
(OUTBOUND INTERFACE DETAILS SLOT)
(OUTBOUND INTERFACE DETAILS TYPE)
(PARENT START TIME)
Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: PanOSParentStarttime
EMAIL field name: ParentStarttime
HTTPS field name: ParentStarttime
LEEF field name: ParentStarttime
(SANCTIONED STATE OF APP)
(SESSION START TIME)
Time when the session was established. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: PanOSSessionStartTime
EMAIL field name: SessionStartTime
HTTPS field name: SessionStartTime
LEEF field name: SessionStartTime
(SOURCE DEVICE CATEGORY)
(SOURCE DEVICE OS FAMILY)
(SOURCE DEVICE OS VERSION)
(SOURCE DYNAMIC ADDRESS GROUP)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
CEF field name: PanOSTimeGeneratedHighResolution
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution
Recommended For You
Recommended videos not found.