Tunnel

Tunnel logs are written whenever a next-generation firewall is handling GTP traffic.
The GPRS Tunneling Protocol (GTP) is defined by the 3GPP standards to carry General Packet Radio Service (GPRS) within cellular (3G and 4G) networks. Mobile equipment uses this protocol to establish a connection to cell towers. Network traffic is then tunneled inside of this connection.
GTP tunnels can be long-lived. Next-generation firewalls use GTP logs to identify the start and end of GTP tunnels.
Next-generation firewalls record the network sessions inside of a GTP tunnel using ordinary traffic logs. The traffic log identifies GTP tunneled sessions using the tunnel field (value, in this case, is 1). In addition, the following traffic log fields are also populated for traffic inside of a GTP tunnel:
See the following for information related to supported log formats:
TUNNEL Field
(Display Name)
Description
access_point_name
(ACCESS POINT NAME)
Indicates the access point name, which is a reference to a Packet Data Network Data Gateway (PGW)/ Gateway GPRS Support Node in a mobile network.
Syslog field name: Syslog Field Order
CEF field name: PanOSAccessPointName
EMAIL field name: AccessPointName
HTTPS field name: AccessPointName
LEEF field name: AccessPointName
action.​value
(ACTION)
Identifies the action that the firewall took for the network traffic.
Syslog field name: Syslog Field Order
CEF field name: act
EMAIL field name: Action
HTTPS field name: Action
LEEF field name: EventID
action_source.​value
(ACTION SOURCE)
Specifies whether the action taken to allow or block an application was defined in the application or in policy.
Syslog field name: Syslog Field Order
CEF field name: cat
EMAIL field name: ActionSource
HTTPS field name: ActionSource
LEEF field name: ActionSource
app
(APPLICATION)
Application associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: app
EMAIL field name: Application
HTTPS field name: Application
LEEF field name: Application
app_category
(APPLICATION CATEGORY)
Identifies the high-level family of the application.
CEF field name: PanOSApplicationCategory
EMAIL field name: ApplicationCategory
HTTPS field name: ApplicationCategory
LEEF field name: ApplicationCategory
app_sub_category
(APPLICATION SUBCATEGORY)
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in category_of_app.
EMAIL field name: ApplicationSubcategory
HTTPS field name: ApplicationSubcategory
LEEF field name: ApplicationSubcategory
bytes_received
(BYTES RECEIVED)
Number of bytes in the server-to-client network traffic.
Syslog field name: Syslog Field Order
CEF field name: in
EMAIL field name: BytesReceived
HTTPS field name: BytesReceived
LEEF field name: dstBytes
bytes_sent
(BYTES SENT)
Number of bytes in the client-to-server network traffic.
Syslog field name: Syslog Field Order
CEF field name: out
EMAIL field name: BytesSent
HTTPS field name: BytesSent
LEEF field name: srcBytes
bytes_total
(BYTES)
Number of total bytes (transmit and receive).
Syslog field name: Syslog Field Order
CEF field name: PanOSBytes
EMAIL field name: Bytes
HTTPS field name: Bytes
LEEF field name: Bytes
config_version.​value
(CONFIG VERSION)
Version number of the firewall operating system that wrote this log record.
Syslog field name: Syslog Field Order
CEF field name: PanOSConfigVersion
EMAIL field name: ConfigVersion
HTTPS field name: ConfigVersion
LEEF field name: ConfigVersion
container_id
(CONTAINER ID)
Unknown field. No information is available at this time.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerID
EMAIL field name: ContainerID
HTTPS field name: ContainerID
LEEF field name: ContainerID
container_of_app
(APPLICATION CONTAINER)
Identifies the managing application or parent of the application associated with this network traffic.
EMAIL field name: ApplicationContainer
HTTPS field name: ApplicationContainer
LEEF field name: ApplicationContainer
content_version
(CONTENT VERSION)
Version of the content on the firewall.
CEF field name: PanOSContentVersion
EMAIL field name: ContentVersion
HTTPS field name: ContentVersion
LEEF field name: ContentVersion
count_of_repeats
(REPEAT COUNT)
Number of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
Syslog field name: Syslog Field Order
CEF field name: cnt
EMAIL field name: RepeatCount
HTTPS field name: RepeatCount
LEEF field name: RepeatCount
customer_id
(LOGGING SERVICE ID)
The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
CEF field name: PanOSLoggingServiceID
EMAIL field name: LoggingServiceID
HTTPS field name: LoggingServiceID
LEEF field name: LoggingServiceID
dest_device_class
(DESTINATION DEVICE CLASS)
Destination device class.
EMAIL field name: DestinationDeviceClass
HTTPS field name: DestinationDeviceClass
LEEF field name: DestinationDeviceClass
dest_device_mac
(DESTINATION DEVICE MAC)
Destination device MAC address.
EMAIL field name: DestinationDeviceMac
HTTPS field name: DestinationDeviceMac
LEEF field name: DestinationDeviceMac
dest_device_model
(DESTINATION DEVICE MODEL)
Destination device model.
EMAIL field name: DestinationDeviceModel
HTTPS field name: DestinationDeviceModel
LEEF field name: DestinationDeviceModel
dest_device_os
(DESTINATION DEVICE OS)
Destination device OS type.
CEF field name: PanOSDestinationDeviceOS
EMAIL field name: DestinationDeviceOS
HTTPS field name: DestinationDeviceOS
LEEF field name: DestinationDeviceOS
dest_device_vendor
(DESTINATION DEVICE VENDOR)
Destination device vendor.
EMAIL field name: DestinationDeviceVendor
HTTPS field name: DestinationDeviceVendor
LEEF field name: DestinationDeviceVendor
dest_dynamic_address_group
(DESTINATION DYNAMIC ADDRESS GROUP)
The dynamic address group that Device-ID identifies as the destination for the traffic.
Syslog field name: Syslog Field Order
dest_edl
(DESTINATION EDL)
The name of the external dynamic list that contains the destination IP address of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationEDL
EMAIL field name: DestinationEDL
HTTPS field name: DestinationEDL
LEEF field name: DestinationEDL
dest_ip.​value
(DESTINATION ADDRESS)
Original destination IP address.
Syslog field name: Syslog Field Order
CEF fields: dst or c6a3
EMAIL field name: DestinationAddress
HTTPS field name: DestinationAddress
LEEF field name: dst
dest_location
(DESTINATION LOCATION)
Destination country or internal region for private addresses.
Syslog field name: Syslog Field Order
CEF field name: PanOSDestinationLocation
EMAIL field name: DestinationLocation
HTTPS field name: DestinationLocation
LEEF field name: DestinationLocation
dest_port
(DESTINATION PORT)
Network traffic's destination port. If this value is 0, then the app is using its standard port.
Syslog field name: Syslog Field Order
CEF field name: dpt
EMAIL field name: DestinationPort
HTTPS field name: DestinationPort
LEEF field name: dstPort
dest_user
(DESTINATION USER)
The username to which the network traffic was destined.
Syslog field name: Syslog Field Order
CEF field name: duser
EMAIL field name: DestinationUser
HTTPS field name: DestinationUser
LEEF field name: DestinationUser
dest_user_info.​domain
(DESTINATION USER DOMAIN)
Domain to which the Destination User belongs.
CEF field name: dntdom
EMAIL field name: DestinationUserDomain
HTTPS field name: DestinationUserDomain
LEEF field name: DestinationUserDomain
dest_user_info.​name
(DESTINATION USER NAME)
The Destination User. That is, the username to which the network traffic was destined.
CEF field name: duser
EMAIL field name: DestinationUserName
HTTPS field name: DestinationUserName
LEEF field name: DestinationUserName
dest_user_info.​uuid
(DESTINATION USER UUID)
Unique identifier assigned to the Destination User.
CEF field name: duid
EMAIL field name: DestinationUserUUID
HTTPS field name: DestinationUserUUID
LEEF field name: DestinationUserUUID
dest_uuid
(DESTINATION UUID)
Identifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
CEF field name: PanOSDestinationUUID
EMAIL field name: DestinationUUID
HTTPS field name: DestinationUUID
LEEF field name: DestinationUUID
dg_hier_level_1
(DG HIERARCHY LEVEL 1)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel1
EMAIL field name: DGHierarchyLevel1
HTTPS field name: DGHierarchyLevel1
LEEF field name: DGHierarchyLevel1
dg_hier_level_2
(DG HIERARCHY LEVEL 2)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel2
EMAIL field name: DGHierarchyLevel2
HTTPS field name: DGHierarchyLevel2
LEEF field name: DGHierarchyLevel2
dg_hier_level_3
(DG HIERARCHY LEVEL 3)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel3
EMAIL field name: DGHierarchyLevel3
HTTPS field name: DGHierarchyLevel3
LEEF field name: DGHierarchyLevel3
dg_hier_level_4
(DG HIERARCHY LEVEL 4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
Syslog field name: Syslog Field Order
CEF field name: PanOSDGHierarchyLevel4
EMAIL field name: DGHierarchyLevel4
HTTPS field name: DGHierarchyLevel4
LEEF field name: DGHierarchyLevel4
dynusergroup_name
(DYNAMIC USER GROUP NAME)
Dynamic user group of the user who initiated the network connection.
Syslog field name: Syslog Field Order
EMAIL field name: DynamicUserGroupName
HTTPS field name: DynamicUserGroupName
LEEF field name: DynamicUserGroupName
from_zone
(FROM ZONE)
The networking zone from which the traffic originated.
Syslog field name: Syslog Field Order
CEF field name: cs4
EMAIL field name: FromZone
HTTPS field name: FromZone
LEEF field name: FromZone
inbound_if.​value
(INBOUND INTERFACE)
Interface from which the network traffic was sourced.
Syslog field name: Syslog Field Order
CEF field name: deviceInboundInterface
EMAIL field name: InboundInterface
HTTPS field name: InboundInterface
LEEF field name: InboundInterface
inbound_if_details.​port
(INBOUND INTERFACE DETAILS PORT)
Hardware port or socket from which the network traffic was sourced.
EMAIL field name: InboundInterfaceDetailsPort
HTTPS field name: InboundInterfaceDetailsPort
inbound_if_details.​slot
(INBOUND INTERFACE DETAILS SLOT)
Interface slot from which the network traffic was sourced.
EMAIL field name: InboundInterfaceDetailsSlot
HTTPS field name: InboundInterfaceDetailsSlot
inbound_if_details.​type.​value
(INBOUND INTERFACE DETAILS TYPE)
The type of interface from which the network traffic was sourced.
EMAIL field name: InboundInterfaceDetailsType
HTTPS field name: InboundInterfaceDetailsType
inbound_if_details.​unit
(INBOUND INTERFACE DETAILS UNIT)
Internal use.
EMAIL field name: InboundInterfaceDetailsUnit
HTTPS field name: InboundInterfaceDetailsUnit
is_captive_portal
(CAPTIVE PORTAL)
Indicates if user information for the session was captured through Captive Portal.
CEF field name: PanOSCaptivePortal
EMAIL field name: CaptivePortal
HTTPS field name: CaptivePortal
LEEF field name: CaptivePortal
is_client_to_server
(IS CLIENT TO SERVER)
Indicates if direction of traffic is from client to server.
CEF field name: PanOSIsClienttoServer
EMAIL field name: IsClienttoServer
HTTPS field name: IsClienttoServer
LEEF field name: IsClienttoServer
is_container
(IS CONTAINER)
Indicates if the session is a container page access (Container Page).
CEF field name: PanOSIsContainer
EMAIL field name: IsContainer
HTTPS field name: IsContainer
LEEF field name: IsContainer
is_decrypt_mirror
(IS DECRYPT MIRROR)
Indicates whether decrypted traffic was sent out in clear text through a mirror port.
CEF field name: PanOSIsDecryptMirror
EMAIL field name: IsDecryptMirror
HTTPS field name: IsDecryptMirror
LEEF field name: IsDecryptMirror
is_decrypted_payload_fwded
(IS DECRYPTED PAYLOAD FORWARD)
Unknown field. No information is available at this time.
EMAIL field name: IsDecryptedPayloadForward
HTTPS field name: IsDecryptedPayloadForward
LEEF field name: IsDecryptedPayloadForward
is_decryption_log
(IS DECRYPTED LOG)
Unknown field. No information is available at this time.
CEF field name: PanOSIsDecryptedLog
EMAIL field name: IsDecryptedLog
HTTPS field name: IsDecryptedLog
LEEF field name: IsDecryptedLog
is_dup_log
(IS DUPLICATE LOG)
Indicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
CEF field name: PanOSIsDuplicateLog
EMAIL field name: IsDuplicateLog
HTTPS field name: IsDuplicateLog
LEEF field name: IsDuplicateLog
is_exported
(LOG EXPORTED)
Indicates if this log was exported from the firewall using the firewall's log export function.
CEF field name: PanOSLogExported
EMAIL field name: LogExported
HTTPS field name: LogExported
LEEF field name: LogExported
is_forwarded
(LOG FORWARDED)
Internal-use field that indicates if the log is being forwarded.
CEF field name: PanOSLogForwarded
EMAIL field name: LogForwarded
HTTPS field name: LogForwarded
LEEF field name: LogForwarded
is_ipv6
(IS IPV6)
Indicates whether IPV6 was used for the session.
CEF field name: PanOSIsIPV6
EMAIL field name: IsIPV6
HTTPS field name: IsIPV6
LEEF field name: IsIPV6
is_l7_inspection_b4_session
(IS INSPECTION BEFORE SESSION)
Unknown field. No information is available at this time.
EMAIL field name: IsInspectionBeforeSession
HTTPS field name: IsInspectionBeforeSession
LEEF field name: IsInspectionBeforeSession
is_mptcp_on
(IS MPTCP ON)
Indicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
CEF field name: PanOSIsMptcpOn
EMAIL field name: IsMptcpOn
HTTPS field name: IsMptcpOn
LEEF field name: IsMptcpOn
is_nat
(NAT)
Indicates if the firewall is performing network address translation (NAT) for the logged traffic.
CEF field name: PanOSNAT
EMAIL field name: NAT
HTTPS field name: NAT
LEEF field name: NAT
is_non_std_dest_port
(IS NON STANDARD DESTINATION PORT)
Indicates if the destination port is non-standard.
is_packet_capture
(IS PACKET CAPTURE)
Indicates whether the session has a packet capture (PCAP).
CEF field name: PanOSIsPacketCapture
EMAIL field name: IsPacketCapture
HTTPS field name: IsPacketCapture
LEEF field name: IsPacketCapture
is_phishing
(IS PHISHING)
Indicates whether enterprise credentials were submitted by an end user.
CEF field name: PanOSIsPhishing
EMAIL field name: IsPhishing
HTTPS field name: IsPhishing
LEEF field name: IsPhishing
is_prisma_branch
(IS PRISMA NETWORK)
Internal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
CEF field name: PanOSIsPrismaNetwork
EMAIL field name: IsPrismaNetwork
HTTPS field name: IsPrismaNetwork
LEEF field name: IsPrismaNetwork
is_prisma_mobile
(IS PRISMA USERS)
Internal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
CEF field name: PanOSIsPrismaUsers
EMAIL field name: IsPrismaUsers
HTTPS field name: IsPrismaUsers
LEEF field name: IsPrismaUsers
is_proxy
(IS PROXY)
Indicates whether the SSL session is decrypted (SSL Proxy).
CEF field name: PanOSIsProxy
EMAIL field name: IsProxy
HTTPS field name: IsProxy
LEEF field name: IsProxy
is_recon_excluded
(IS RECON EXCLUDED)
Indicates whether source for the flow is on the firewall allow list and not subject to recon protection.
CEF field name: PanOSIsReconExcluded
EMAIL field name: IsReconExcluded
HTTPS field name: IsReconExcluded
LEEF field name: IsReconExcluded
is_saas_app
(IS SAAS APPLICATION)
Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
CEF field name: PanOSIsSaaSApplication
EMAIL field name: IsSaaSApplication
HTTPS field name: IsSaaSApplication
LEEF field name: IsSaaSApplication
is_server_to_client
(IS SERVER TO CLIENT)
Indicates if direction of traffic is from server to client.
CEF field name: PanOSIsServertoClient
EMAIL field name: IsServertoClient
HTTPS field name: IsServertoClient
LEEF field name: IsServertoClient
is_source_x_fwded
(IS SOURCE X FORWARDED)
Indicates whether the X-Forwarded-For value from a proxy is in the source user field.
CEF field name: PanOSIsSourceXForwarded
EMAIL field name: IsSourceXForwarded
HTTPS field name: IsSourceXForwarded
LEEF field name: IsSourceXForwarded
is_sym_return
(IS SYSTEM RETURN)
Indicates whether symmetric return was used to forward traffic for this session.
CEF field name: PanOSIsSystemReturn
EMAIL field name: IsSystemReturn
HTTPS field name: IsSystemReturn
LEEF field name: IsSystemReturn
is_transaction
(IS TRANSACTION)
Indicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
CEF field name: PanOSIsTransaction
EMAIL field name: IsTransaction
HTTPS field name: IsTransaction
LEEF field name: IsTransaction
is_tunnel_inspected
(IS TUNNEL INSPECTED)
Indicates whether the payload for the outer tunnel was inspected.
CEF field name: PanOSIsTunnelInspected
EMAIL field name: IsTunnelInspected
HTTPS field name: IsTunnelInspected
LEEF field name: IsTunnelInspected
is_url_denied
(IS URL DENIED)
Indicates whether the session was denied due to a URL filtering rule.
CEF field name: PanOSIsURLDenied
EMAIL field name: IsURLDenied
HTTPS field name: IsURLDenied
LEEF field name: IsURLDenied
log_set
(LOG SETTING)
Log forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
Syslog field name: Syslog Field Order
CEF field name: cs6
EMAIL field name: LogSetting
HTTPS field name: LogSetting
LEEF field name: LogSetting
log_source
(LOG SOURCE)
Identifies the origin of the data. That is, the system that produced the data.
CEF field name: PanOSLogSource
EMAIL field name: LogSource
HTTPS field name: LogSource
LEEF field name: LogSource
log_source_id
(DEVICE SN)
ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
Syslog field name: Syslog Field Order
CEF field name: deviceExternalId
EMAIL field name: DeviceSN
HTTPS field name: DeviceSN
LEEF field name: DeviceSN
log_source_name
(DEVICE NAME)
Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
Syslog field name: Syslog Field Order
CEF field name: dvchost
EMAIL field name: DeviceName
HTTPS field name: DeviceName
LEEF field name: DeviceName
log_source_tz_offset
(LOG SOURCE TIMEZONE OFFSET)
Time Zone offset from GMT of the source of the log.
EMAIL field name: LogSourceTimeZoneOffset
HTTPS field name: LogSourceTimeZoneOffset
LEEF field name: LogSourceTimeZoneOffset
log_time
(TIME RECEIVED)
Time the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: rt
EMAIL field name: TimeReceived
HTTPS field name: TimeReceived
LEEF field name: TimeReceived
log_type.​value
(LOG TYPE)
Identifies the log type.
Syslog field name: Syslog Field Order
CEF field name: Device Event Class ID
EMAIL field name: LogType
HTTPS field name: LogType
LEEF field name: cat
mobile_area_code
(MOBILE AREA CODE)
Area within a Public Land Mobile Network (PLMN).
Syslog field name: Syslog Field Order
CEF field name: PanOSMobileAreaCode
EMAIL field name: MobileAreaCode
HTTPS field name: MobileAreaCode
LEEF field name: MobileAreaCode
mobile_base_station_code
(MOBILE BASE STATION CODE)
Base station within an area code.
Syslog field name: Syslog Field Order
EMAIL field name: MobileBaseStationCode
HTTPS field name: MobileBaseStationCode
LEEF field name: MobileBaseStationCode
mobile_country_code
(MOBILE COUNTRY CODE)
Mobile country code of serving core network operator.
Syslog field name: Syslog Field Order
CEF field name: PanOSMobileCountryCode
EMAIL field name: MobileCountryCode
HTTPS field name: MobileCountryCode
LEEF field name: MobileCountryCode
mobile_ip.​value
(MOBILE IP)
IP address of a mobile subscriber allocated by a PGW/GGSN.
Syslog field name: Syslog Field Order
CEF field name: PanOSMobileIP
EMAIL field name: MobileIP
HTTPS field name: MobileIP
LEEF field name: MobileIP
mobile_network_code
(MOBILE NETWORK CODE)
Mobile network code of serving core network operator.
Syslog field name: Syslog Field Order
CEF field name: PanOSMobileNetworkCode
EMAIL field name: MobileNetworkCode
HTTPS field name: MobileNetworkCode
LEEF field name: MobileNetworkCode
mobile_subscriber_isdn
(MOBILE SUBSCRIBER ISDN)
Service identity associated with the mobile subscriber.
Syslog field name: Syslog Field Order
EMAIL field name: MobileSubscriberISDN
HTTPS field name: MobileSubscriberISDN
LEEF field name: MobileSubscriberISDN
monitor_tag_imei
(IMEI)
A string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
Syslog field name: Syslog Field Order
CEF field name: PanOSIMEI
EMAIL field name: IMEI
HTTPS field name: IMEI
LEEF field name: IMEI
nat_dest.​value
(NAT DESTINATION)
If destination NAT performed, the post-NAT destination IP address.
Syslog field name: Syslog Field Order
EMAIL field name: NATDestination
HTTPS field name: NATDestination
LEEF field name: dstPostNAT
nat_dest_port
(NAT DESTINATION PORT)
Post-NAT destination port.
Syslog field name: Syslog Field Order
EMAIL field name: NATDestinationPort
HTTPS field name: NATDestinationPort
LEEF field name: dstPostNATPort
nat_source.​value
(NAT SOURCE)
If source NAT was performed, the post-NAT source IP address.
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedAddress
EMAIL field name: NATSource
HTTPS field name: NATSource
LEEF field name: srcPostNAT
nat_source_port
(NAT SOURCE PORT)
Post-NAT source port.
Syslog field name: Syslog Field Order
CEF field name: sourceTranslatedPort
EMAIL field name: NATSourcePort
HTTPS field name: NATSourcePort
LEEF field name: srcPostNATPort
non_standard_dest_port
(NON STANDARD DESTINATION PORT)
Identifies the non-standard or unexpected port used by the application associated with this session.
EMAIL field name: NonStandardDestinationPort
HTTPS field name: NonStandardDestinationPort
nssai_network_slice_differentiator.​value
(NSSAI NETWORK SLICE DIFFERENTIATOR)
Network Slice Differentiator (SD part of SNSSAI).
Syslog field name: Syslog Field Order
nssai_network_slice_type.​value
(NSSAI NETWORK SLICE TYPE)
Network Slice Type (SST part of SNSSAI).
Syslog field name: Syslog Field Order
EMAIL field name: NSSAINetworkSliceType
HTTPS field name: NSSAINetworkSliceType
LEEF field name: NSSAINetworkSliceType
outbound_if.​value
(OUTBOUND INTERFACE)
Interface to which the network traffic was destined.
Syslog field name: Syslog Field Order
CEF field name: deviceOutboundInterface
EMAIL field name: OutboundInterface
HTTPS field name: OutboundInterface
LEEF field name: OutboundInterface
outbound_if_details.​port
(OUTBOUND INTERFACE DETAILS PORT)
Hardware port or socket to which the network traffic was sent.
outbound_if_details.​slot
(OUTBOUND INTERFACE DETAILS SLOT)
Interface slot to which the network traffic was sent.
outbound_if_details.​type.​value
(OUTBOUND INTERFACE DETAILS TYPE)
The type of interface to which the network traffic was sent.
outbound_if_details.​unit
(OUTBOUND INTERFACE DETAILS UNIT)
Internal use.
packets_dropped_max_encap
(PACKETS DROPPED MAX)
Number of packets the firewall dropped because the packet exceeded the maximum number of encapsulation levels configured.
Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsDroppedMax
EMAIL field name: PacketsDroppedMax
HTTPS field name: PacketsDroppedMax
LEEF field name: PacketsDroppedMax
packets_dropped_strict_check
(PACKETS DROPPED STRICT)
Number of packets the firewall dropped because the tunnel protocol header in the packet failed to comply with the RFC for the tunnel protocol.
Syslog field name: Syslog Field Order
CEF field name: cfp2
EMAIL field name: PacketsDroppedStrict
HTTPS field name: PacketsDroppedStrict
LEEF field name: PacketsDroppedStrict
packets_dropped_tunnel_frag
(PACKETS DROPPED TUNNEL)
Number of packets the firewall dropped because of fragmentation errors.
Syslog field name: Syslog Field Order
EMAIL field name: PacketsDroppedTunnel
HTTPS field name: PacketsDroppedTunnel
LEEF field name: PacketsDroppedTunnel
packets_dropped_ukn_proto
(PACKETS DROPPED PROTOCOL)
Number of packets the firewall dropped because the packet contains an unknown protocol.
Syslog field name: Syslog Field Order
CEF field name: cfp1
EMAIL field name: PacketsDroppedProtocol
HTTPS field name: PacketsDroppedProtocol
LEEF field name: PacketsDroppedProtocol
packets_received
(PACKETS RECEIVED)
Number of server-to-client packets for the session.
Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsReceived
EMAIL field name: PacketsReceived
HTTPS field name: PacketsReceived
LEEF field name: dstPackets
packets_sent
(PACKETS SENT)
Number of client-to-server packets for the session.
Syslog field name: Syslog Field Order
CEF field name: PanOSPacketsSent
EMAIL field name: PacketsSent
HTTPS field name: PacketsSent
LEEF field name: srcPackets
packets_total
(PACKETS TOTAL)
Number of total packets (transmit and receive) seen for the session.
Syslog field name: Syslog Field Order
CEF field name: cn2
EMAIL field name: PacketsTotal
HTTPS field name: PacketsTotal
LEEF field name: totalPackets
parent_session_id
(PARENT SESSION ID)
ID of the session in which this network traffic was tunneled.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentSessionID
EMAIL field name: ParentSessionID
HTTPS field name: ParentSessionID
LEEF field name: ParentSessionID
parent_start_time
(PARENT START TIME)
Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSParentStarttime
EMAIL field name: ParentStarttime
HTTPS field name: ParentStarttime
LEEF field name: ParentStarttime
pdu_session_id
(PROTOCOL DATA UNIT SESSION ID)
Protocol Data Unit session ID.
Syslog field name: Syslog Field Order
EMAIL field name: ProtocolDataUnitsessionID
HTTPS field name: ProtocolDataUnitsessionID
LEEF field name: ProtocolDataUnitsessionID
pod_name
(POD NAME)
Container name.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerName
EMAIL field name: ContainerName
HTTPS field name: ContainerName
LEEF field name: ContainerName
pod_namespace
(CONTAINER NAME SPACE)
Container namespace.
Syslog field name: Syslog Field Order
CEF field name: PanOSContainerNameSpace
EMAIL field name: ContainerNameSpace
HTTPS field name: ContainerNameSpace
LEEF field name: ContainerNameSpace
protocol.​value
(PROTOCOL)
IP protocol associated with the session.
Syslog field name: Syslog Field Order
CEF field name: proto
EMAIL field name: Protocol
HTTPS field name: Protocol
LEEF field name: proto
radio_access_technology
(RADIO ACCESS TECHNOLOGY)
Identifies the type of technology used for radio access.
Syslog field name: Syslog Field Order
EMAIL field name: RadioAccessTechnology
HTTPS field name: RadioAccessTechnology
LEEF field name: RadioAccessTechnology
risk_of_app
(APPLICATION RISK)
Indicates how risky the application is from a network security perspective.
CEF field name: PanOSApplicationRisk
EMAIL field name: ApplicationRisk
HTTPS field name: ApplicationRisk
LEEF field name: ApplicationRisk
rule_matched
(RULE)
Name of the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order
CEF field name: cs1
EMAIL field name: Rule
HTTPS field name: Rule
LEEF field name: Rule
rule_matched_uuid
(RULE UUID)
Unique identifier for the security policy rule that the network traffic matched.
Syslog field name: Syslog Field Order
CEF field name: PanOSRuleUUID
EMAIL field name: RuleUUID
HTTPS field name: RuleUUID
LEEF field name: RuleUUID
sanctioned_state_of_app
(SANCTIONED STATE OF APP)
Indicates whether the application has been flagged as sanctioned by the firewall administrator.
EMAIL field name: SanctionedStateofApp
HTTPS field name: SanctionedStateofApp
LEEF field name: SanctionedStateofApp
sequence_no
(SEQUENCE NO)
The log entry identifier, which is incremented sequentially. Each log type has a unique number space.
Syslog field name: Syslog Field Order
CEF field name: externalId
EMAIL field name: SequenceNo
HTTPS field name: SequenceNo
LEEF field name: SequenceNo
sess_owner_rt_midx
(SESSION OWNER MIDX)
Unknown field. No information is available at this time.
CEF field name: PanOSSessionOwnerMidx
EMAIL field name: SessionOwnerMidx
HTTPS field name: SessionOwnerMidx
LEEF field name: SessionOwnerMidx
session_end_reason.​value
(SESSION END REASON)
The reason a session terminated.
Syslog field name: Syslog Field Order
CEF field name: reason
EMAIL field name: SessionEndReason
HTTPS field name: SessionEndReason
LEEF field name: SessionEndReason
session_id
(SESSION ID)
Identifies the firewall's internal identifier for a specific network session.
Syslog field name: Syslog Field Order
CEF field name: cn1
EMAIL field name: SessionID
HTTPS field name: SessionID
LEEF field name: SessionID
session_start_time
(SESSION START TIME)
Time when the session was established. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: PanOSSessionStartTime
EMAIL field name: SessionStartTime
HTTPS field name: SessionStartTime
LEEF field name: startTime
session_tracker
(SESSION TRACKER)
Unknown field. No information is available at this time.
CEF field name: PanOSSessionTracker
EMAIL field name: SessionTracker
HTTPS field name: SessionTracker
LEEF field name: SessionTracker
severity
(SEVERITY)
Severity as defined by the platform.
CEF field name: PanOSSeverity
EMAIL field name: Severity
HTTPS field name: Severity
LEEF field name: Severity
source_device_class
(SOURCE DEVICE CLASS)
Source device class.
CEF field name: PanOSSourceDeviceClass
EMAIL field name: SourceDeviceClass
HTTPS field name: SourceDeviceClass
LEEF field name: SourceDeviceClass
source_device_mac
(SOURCE DEVICE MAC)
Source device MAC address.
CEF field name: PanOSSourceDeviceMac
EMAIL field name: SourceDeviceMac
HTTPS field name: SourceDeviceMac
LEEF field name: SourceDeviceMac
source_device_model
(SOURCE DEVICE MODEL)
Source device model.
CEF field name: PanOSSourceDeviceModel
EMAIL field name: SourceDeviceModel
HTTPS field name: SourceDeviceModel
LEEF field name: SourceDeviceModel
source_device_os
(SOURCE DEVICE OS)
Source device OS type.
CEF field name: PanOSSourceDeviceOS
EMAIL field name: SourceDeviceOS
HTTPS field name: SourceDeviceOS
LEEF field name: SourceDeviceOS
source_device_vendor
(SOURCE DEVICE VENDOR)
Source device vendor.
CEF field name: PanOSSourceDeviceVendor
EMAIL field name: SourceDeviceVendor
HTTPS field name: SourceDeviceVendor
LEEF field name: SourceDeviceVendor
source_dynamic_address_group
(SOURCE DYNAMIC ADDRESS GROUP)
The dynamic address group that Device-ID identifies as the source of the traffic.
Syslog field name: Syslog Field Order
EMAIL field name: SourceDynamicAddressGroup
HTTPS field name: SourceDynamicAddressGroup
LEEF field name: SourceDynamicAddressGroup
source_edl
(SOURCE EDL)
The name of the external dynamic list that contains the source IP address of the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceEDL
EMAIL field name: SourceEDL
HTTPS field name: SourceEDL
LEEF field name: SourceEDL
source_ip.​value
(SOURCE ADDRESS)
Original source IP address.
Syslog field name: Syslog Field Order
CEF fields: src or c6a2
EMAIL field name: SourceAddress
HTTPS field name: SourceAddress
LEEF field name: src
source_location
(SOURCE LOCATION)
Source country or internal region for private addresses.
Syslog field name: Syslog Field Order
CEF field name: PanOSSourceLocation
EMAIL field name: SourceLocation
HTTPS field name: SourceLocation
LEEF field name: SourceLocation
source_port
(SOURCE PORT)
Source port utilized by the session.
Syslog field name: Syslog Field Order
CEF field name: spt
EMAIL field name: SourcePort
HTTPS field name: SourcePort
LEEF field name: srcPort
source_user
(SOURCE USER)
The username that initiated the network traffic.
Syslog field name: Syslog Field Order
CEF field name: suser
EMAIL field name: SourceUser
HTTPS field name: SourceUser
LEEF field name: usrName
source_user_info.​domain
(SOURCE USER DOMAIN)
Domain to which the Source User belongs.
CEF field name: sntdom
EMAIL field name: SourceUserDomain
HTTPS field name: SourceUserDomain
LEEF field name: SourceUserDomain
source_user_info.​name
(SOURCE USER NAME)
The Source User. That is, the username that initiated the network traffic.
CEF field name: suser
EMAIL field name: SourceUserName
HTTPS field name: SourceUserName
LEEF field name: SourceUserName
source_user_info.​uuid
(SOURCE USER UUID)
Unique identifier assigned to the Source User.
CEF field name: suid
EMAIL field name: SourceUserUUID
HTTPS field name: SourceUserUUID
LEEF field name: SourceUserUUID
source_uuid
(SOURCE UUID)
Identifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
CEF field name: PanOSSourceUUID
EMAIL field name: SourceUUID
HTTPS field name: SourceUUID
LEEF field name: SourceUUID
standard_ports_of_app
(STANDARD PORTS OF APP)
Standard Ports of App.
CEF field name: PanOSStandardPortsOfApp
EMAIL field name: StandardPortsOfApp
HTTPS field name: StandardPortsOfApp
LEEF field name: StandardPortsOfApp
sub_type.​value
(SUBTYPE)
Identifies the log subtype.
Syslog field name: Syslog Field Order
CEF field name: Name
EMAIL field name: Subtype
HTTPS field name: Subtype
LEEF field name: SubType
technology_of_app
(APPLICATION TECHNOLOGY)
The networking technology used by the identified application.
EMAIL field name: ApplicationTechnology
HTTPS field name: ApplicationTechnology
LEEF field name: ApplicationTechnology
time_generated
(TIME GENERATED)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
Syslog field name: Syslog Field Order
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
time_generated_high_res
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
Syslog field name: Syslog Field Order
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
to_zone
(TO ZONE)
Networking zone to which the traffic was sent.
Syslog field name: Syslog Field Order
CEF field name: cs5
EMAIL field name: ToZone
HTTPS field name: ToZone
LEEF field name: ToZone
total_time_elapsed
(SESSION DURATION)
Total time taken for the network session to complete.
Syslog field name: Syslog Field Order
CEF field name: cn3
EMAIL field name: SessionDuration
HTTPS field name: SessionDuration
LEEF field name: SessionDuration
tunnel.​value
(TUNNEL)
Type of tunnel.
Syslog field name: Syslog Field Order
CEF field name: cs2
EMAIL field name: Tunnel
HTTPS field name: Tunnel
LEEF field name: Tunnel
tunnel_cause_code
(TUNNEL CAUSE CODE)
GTP cause value in log responses.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelCauseCode
EMAIL field name: TunnelCauseCode
HTTPS field name: TunnelCauseCode
LEEF field name: TunnelCauseCode
tunnel_endpoint_id_1
(TUNNEL ENDPOINT ID 1)
Identifies the GTP tunnel in the network node. TEID1 is the first TEID in the GTP messages.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelEndpointID1
EMAIL field name: TunnelEndpointID1
HTTPS field name: TunnelEndpointID1
LEEF field name: TunnelEndpointID1
tunnel_endpoint_id_2
(TUNNEL ENDPOINT ID 2)
Identifies the GTP tunnel in the network node. TEID2 is the second TEID in the GTP messages.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelEndpointID2
EMAIL field name: TunnelEndpointID2
HTTPS field name: TunnelEndpointID2
LEEF field name: TunnelEndpointID2
tunnel_event_code
(TUNNEL EVENT CODE)
Event code describing the GTP event.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelEventCode
EMAIL field name: TunnelEventCode
HTTPS field name: TunnelEventCode
LEEF field name: TunnelEventCode
tunnel_event_type
(TUNNEL EVENT TYPE)
Identifies the GTP event type for the traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelEventType
EMAIL field name: TunnelEventType
HTTPS field name: TunnelEventType
LEEF field name: TunnelEventType
tunnel_inspection_rule
(TUNNEL INSPECTION RULE)
Name of the security policy rule in effect for the session.
Syslog field name: Syslog Field Order
EMAIL field name: TunnelInspectionRule
HTTPS field name: TunnelInspectionRule
LEEF field name: TunnelInspectionRule
tunnel_interface
(TUNNEL INTERFACE)
3GPP interface from which a GTP message is received.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelInterface
EMAIL field name: TunnelInterface
HTTPS field name: TunnelInterface
LEEF field name: TunnelInterface
tunnel_message_type
(TUNNEL MESSAGE TYPE)
Identifies the GTP message type.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelMessageType
EMAIL field name: TunnelMessageType
HTTPS field name: TunnelMessageType
LEEF field name: TunnelMessageType
tunnel_remote_imsi_id
(TUNNEL REMOTE IMSI ID)
International Mobile Subscriber Identity (IMSI) of a remote user at the end of an S11-U tunnel.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelRemoteIMSIID
EMAIL field name: TunnelRemoteIMSIID
HTTPS field name: TunnelRemoteIMSIID
LEEF field name: TunnelRemoteIMSIID
tunnel_remote_user_ip.​value
(TUNNEL REMOTE USER IP)
IP address of a remote user at the end of an S11-U tunnel.
Syslog field name: Syslog Field Order
CEF field name: PanOSTunnelRemoteUserIP
EMAIL field name: TunnelRemoteUserIP
HTTPS field name: TunnelRemoteUserIP
LEEF field name: TunnelRemoteUserIP
tunnel_sessions_closed
(TUNNEL SESSIONS CLOSED)
Number of completed/closed sessions created.
Syslog field name: Syslog Field Order
CEF field name: cfp4
EMAIL field name: TunnelSessionsClosed
HTTPS field name: TunnelSessionsClosed
LEEF field name: TunnelSessionsClosed
tunnel_sessions_created
(TUNNEL SESSIONS CREATED)
Number of inner sessions created.
Syslog field name: Syslog Field Order
CEF field name: cfp3
EMAIL field name: TunnelSessionsCreated
HTTPS field name: TunnelSessionsCreated
LEEF field name: TunnelSessionsCreated
tunneled_app
(TUNNELED APPLICATION)
For internal use only.
CEF field name: PanOSTunneledApplication
EMAIL field name: TunneledApplication
HTTPS field name: TunneledApplication
LEEF field name: TunneledApplication
tunnelid_imsi
(IMSI)
ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Syslog field name: Syslog Field Order
CEF field name: PanOSIMSI
EMAIL field name: IMSI
HTTPS field name: IMSI
LEEF field name: IMSI
url_category.​value
(URL CATEGORY)
URL category associated with the session.
CEF field name: PanOSURLCategory
EMAIL field name: URLCategory
HTTPS field name: URLCategory
LEEF field name: URLCategory
users
(USERS)
Source/Destination user. If neither is available, source_ip is used.
CEF field name: PanOSUsers
EMAIL field name: Users
HTTPS field name: Users
LEEF field name: Users
vendor_name
(VENDOR NAME)
Identifies the vendor that produced the data.
CEF field name: Device Vendor
EMAIL field name: VendorName
HTTPS field name: VendorName
LEEF field name: Vendor
vendor_severity.​value
(VENDOR SEVERITY)
Severity associated with the event.
Syslog field name: Syslog Field Order
CEF field name: PanOSVendorSeverity
EMAIL field name: VendorSeverity
HTTPS field name: VendorSeverity
LEEF field name: VendorSeverity
vsys
(VIRTUAL LOCATION)
String representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
Syslog field name: Syslog Field Order
CEF field name: cs3
EMAIL field name: VirtualLocation
HTTPS field name: VirtualLocation
LEEF field name: VirtualLocation
vsys_id
(VIRTUAL SYSTEM ID)
A unique identifier for a virtual system on a Palo Alto Networks firewall.
CEF field name: PanOSVirtualSystemID
EMAIL field name: VirtualSystemID
HTTPS field name: VirtualSystemID
LEEF field name: VirtualSystemID
vsys_name
(VIRTUAL SYSTEM NAME)
The name of the virtual system associated with the network traffic.
Syslog field name: Syslog Field Order
CEF field name: PanOSVirtualSystemName
EMAIL field name: VirtualSystemName
HTTPS field name: VirtualSystemName
LEEF field name: VirtualSystemName

Recommended For You