Tunnel logs are written whenever a next-generation firewall is handling GTP traffic.
The GPRS Tunneling Protocol (GTP) is defined by the 3GPP standards to carry General Packet Radio Service (GPRS) within cellular (3G and 4G) networks. Mobile equipment uses this protocol to establish a connection to cell towers. Network traffic is then tunneled inside of this connection.
GTP tunnels can be long-lived. Next-generation firewalls use GTP logs to identify the start and end of GTP tunnels.
Next-generation firewalls record the network sessions inside of a GTP tunnel using ordinary traffic logs. The traffic log identifies GTP tunneled sessions using the tunnel field (value, in this case, is 1). In addition, the following traffic log fields are also populated for traffic inside of a GTP tunnel:
See the following for information related to supported log formats:
(ACCESS POINT NAME)
Indicates the access point name, which is a reference to a Packet Data Network Data Gateway (PGW)/ Gateway GPRS Support Node in a mobile network.
CEF field name: PanOSAccessPointName
EMAIL field name: AccessPointName
HTTPS field name: AccessPointName
LEEF field name: AccessPointName
Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in category_of_app.
CEF field name: PanOSApplicationSubcategory
EMAIL field name: ApplicationSubcategory
HTTPS field name: ApplicationSubcategory
LEEF field name: ApplicationSubcategory
(DESTINATION DYNAMIC ADDRESS GROUP)
The dynamic address group that Device-ID identifies as the destination for the traffic.
CEF field name: PanOSDestinationDynamicAddressGroup
EMAIL field name: DestinationDynamicAddressGroup
HTTPS field name: DestinationDynamicAddressGroup
LEEF field name: DestinationDynamicAddressGroup
(DG HIERARCHY LEVEL 1)
(DG HIERARCHY LEVEL 2)
(DG HIERARCHY LEVEL 3)
(DG HIERARCHY LEVEL 4)
(DYNAMIC USER GROUP NAME)
(INBOUND INTERFACE DETAILS PORT)
(INBOUND INTERFACE DETAILS SLOT)
(INBOUND INTERFACE DETAILS TYPE)
(IS DUPLICATE LOG)
(IS PRISMA USERS)
(NON STANDARD DESTINATION PORT)
(NSSAI NETWORK SLICE DIFFERENTIATOR)
(OUTBOUND INTERFACE DETAILS PORT)
(OUTBOUND INTERFACE DETAILS SLOT)
(OUTBOUND INTERFACE DETAILS TYPE)
(PACKETS DROPPED MAX)
Number of packets the firewall dropped because the packet exceeded the maximum number of encapsulation levels configured.
CEF field name: PanOSPacketsDroppedMax
EMAIL field name: PacketsDroppedMax
HTTPS field name: PacketsDroppedMax
LEEF field name: PacketsDroppedMax
(PACKETS DROPPED STRICT)
Number of packets the firewall dropped because the tunnel protocol header in the packet failed to comply with the RFC for the tunnel protocol.
CEF field name: cfp2
EMAIL field name: PacketsDroppedStrict
HTTPS field name: PacketsDroppedStrict
LEEF field name: PacketsDroppedStrict
(PACKETS DROPPED TUNNEL)
(PACKETS DROPPED PROTOCOL)
(PARENT START TIME)
Time that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: PanOSParentStarttime
EMAIL field name: ParentStarttime
HTTPS field name: ParentStarttime
LEEF field name: ParentStarttime
(RADIO ACCESS TECHNOLOGY)
(SANCTIONED STATE OF APP)
(SESSION START TIME)
Time when the session was established. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: PanOSSessionStartTime
EMAIL field name: SessionStartTime
HTTPS field name: SessionStartTime
LEEF field name: startTime
(SOURCE DYNAMIC ADDRESS GROUP)
Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
CEF field name: start
EMAIL field name: TimeGenerated
HTTPS field name: TimeGenerated
LEEF field name: devTime
(TIME GENERATED HIGH RESOLUTION)
Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
CEF field name: PanOSTimeGeneratedHighResolution
EMAIL field name: TimeGeneratedHighResolution
HTTPS field name: TimeGeneratedHighResolution
LEEF field name: TimeGeneratedHighResolution
(TUNNEL ENDPOINT ID 1)
(TUNNEL ENDPOINT ID 2)
(TUNNEL INSPECTION RULE)
(TUNNEL REMOTE IMSI ID)
Recommended For You
Recommended videos not found.