Tunnel CEF Fields
Table of Contents
Tunnel CEF Fields
The following table identifies the Tunnel field names that the Log Forwarding app
uses when you forward logs using the CEF log format.
CEF Name
|
Field Details
|
|---|---|
PanOSAccessPointName
| Query Name: access_point_nameHeader Type: Custom |
act
| |
cat
| |
app
| |
PanOSApplicationCategory
| Query Name: app_categoryHeader Type: Custom |
PanOSApplicationSubcategory
| Query Name: app_sub_categoryHeader Type: Custom |
in
| Query Name: bytes_receivedHeader Type: Predefined |
out
| Query Name: bytes_sentHeader Type: Predefined |
PanOSBytes
| Query Name: bytes_totalHeader Type: Custom |
PanOSConfigVersion
| Query Name: config_version.valueHeader Type: Custom |
PanOSContainerID
| Query Name: container_idHeader Type: Custom |
PanOSApplicationContainer
| Query Name: container_of_appHeader Type: Custom |
PanOSContentVersion
| Query Name: content_versionHeader Type: Custom |
cnt
| Query Name: count_of_repeatsHeader Type: Predefined |
PanOSLoggingServiceID
| Query Name: customer_idHeader Type: Custom |
PanOSDestinationDeviceClass
| Query Name: dest_device_classHeader Type: Custom |
PanOSDestinationDeviceMac
| Query Name: dest_device_macHeader Type: Custom |
PanOSDestinationDeviceModel
| Query Name: dest_device_modelHeader Type: Custom |
PanOSDestinationDeviceOS
| Query Name: dest_device_osHeader Type: Custom |
PanOSDestinationDeviceVendor
| Query Name: dest_device_vendorHeader Type: Custom |
PanOSDestinationDynamicAddressGroup
| Query Name: dest_dynamic_address_groupHeader Type: Custom |
PanOSDestinationEDL
| Query Name: dest_edlHeader Type: Custom |
dst or c6a3
| Query Name: dest_ip.valueHeader Type: PredefinedLabel: || c6a3LabelLabel Text: || Destination IPv6 Address |
PanOSDestinationLocation
| Query Name: dest_locationHeader Type: Custom |
dpt
| Query Name: dest_portHeader Type: Predefined |
duser
| |
dntdom
| |
duser
| |
duid
| |
PanOSDestinationUUID
| Query Name: dest_uuidHeader Type: Custom |
PanOSDGHierarchyLevel1
| Query Name: dg_hier_level_1Header Type: Custom |
PanOSDGHierarchyLevel2
| Query Name: dg_hier_level_2Header Type: Custom |
PanOSDGHierarchyLevel3
| Query Name: dg_hier_level_3Header Type: Custom |
PanOSDGHierarchyLevel4
| Query Name: dg_hier_level_4Header Type: Custom |
PanOSDynamicUserGroupName
| Query Name: dynusergroup_nameHeader Type: Custom |
cs4
| |
deviceInboundInterface
| |
PanOSInboundInterfaceDetailsPort
| Query Name: inbound_if_details.portHeader Type: Custom |
PanOSInboundInterfaceDetailsSlot
| Query Name: inbound_if_details.slotHeader Type: Custom |
PanOSInboundInterfaceDetailsType
| Query Name: inbound_if_details.type.valueHeader Type: Custom |
PanOSInboundInterfaceDetailsUnit
| Query Name: inbound_if_details.unitHeader Type: Custom |
PanOSCaptivePortal
| Query Name: is_captive_portalHeader Type: Custom |
PanOSIsClienttoServer
| Query Name: is_client_to_serverHeader Type: Custom |
PanOSIsContainer
| Query Name: is_containerHeader Type: Custom |
PanOSIsDecryptMirror
| Query Name: is_decrypt_mirrorHeader Type: Custom |
PanOSIsDecryptedPayloadForward
| Query Name: is_decrypted_payload_fwdedHeader Type: Custom |
PanOSIsDecryptedLog
| Query Name: is_decryption_logHeader Type: Custom |
PanOSIsDuplicateLog
| Query Name: is_dup_logHeader Type: Custom |
PanOSLogExported
| Query Name: is_exportedHeader Type: Custom |
PanOSLogForwarded
| Query Name: is_forwardedHeader Type: Custom |
PanOSIsIPV6
| Query Name: is_ipv6Header Type: Custom |
PanOSIsInspectionBeforeSession
| Query Name: is_l7_inspection_b4_sessionHeader Type: Custom |
PanOSIsMptcpOn
| Query Name: is_mptcp_onHeader Type: Custom |
PanOSNAT
| Query Name: is_natHeader Type: Custom |
PanOSIsNonStandardDestinationPort
| Query Name: is_non_std_dest_portHeader Type: Custom |
PanOSIsPacketCapture
| Query Name: is_packet_captureHeader Type: Custom |
PanOSIsPhishing
| Query Name: is_phishingHeader Type: Custom |
PanOSIsPrismaNetwork
| Query Name: is_prisma_branchHeader Type: Custom |
PanOSIsPrismaUsers
| Query Name: is_prisma_mobileHeader Type: Custom |
PanOSIsProxy
| Query Name: is_proxyHeader Type: Custom |
PanOSIsReconExcluded
| Query Name: is_recon_excludedHeader Type: Custom |
PanOSIsSaaSApplication
| Query Name: is_saas_appHeader Type: Custom |
PanOSIsServertoClient
| Query Name: is_server_to_clientHeader Type: Custom |
PanOSIsSourceXForwarded
| Query Name: is_source_x_fwdedHeader Type: Custom |
PanOSIsSystemReturn
| Query Name: is_sym_returnHeader Type: Custom |
PanOSIsTransaction
| Query Name: is_transactionHeader Type: Custom |
PanOSIsTunnelInspected
| Query Name: is_tunnel_inspectedHeader Type: Custom |
PanOSIsURLDenied
| Query Name: is_url_deniedHeader Type: Custom |
cs6
| |
PanOSLogSource
| Query Name: log_sourceHeader Type: Custom |
LogSourceGroupID
| |
deviceExternalId
| |
dvchost
| |
PanOSLogSourceTimeZoneOffset
| Query Name: log_source_tz_offsetHeader Type: Custom |
rt
| Query Name: log_timeHeader Type: Predefined |
Device Event Class ID
| Query Name: log_type.valueHeader Type: Custom |
PanOSMobileAreaCode
| Query Name: mobile_area_codeHeader Type: Custom |
PanOSMobileBaseStationCode
| Query Name: mobile_base_station_codeHeader Type: Custom |
PanOSMobileCountryCode
| Query Name: mobile_country_codeHeader Type: Custom |
PanOSMobileIP
| Query Name: mobile_ip.valueHeader Type: Custom |
PanOSMobileNetworkCode
| Query Name: mobile_network_codeHeader Type: Custom |
PanOSMobileSubscriberISDN
| Query Name: mobile_subscriber_isdnHeader Type: Custom |
PanOSIMEI
| Query Name: monitor_tag_imeiHeader Type: Custom |
destinationTranslatedAddress
| Query Name: nat_dest.valueHeader Type: Predefined |
destinationTranslatedPort
| Query Name: nat_dest_portHeader Type: Predefined |
sourceTranslatedAddress
| Query Name: nat_source.valueHeader Type: Predefined |
sourceTranslatedPort
| Query Name: nat_source_portHeader Type: Predefined |
PanOSNonStandardDestinationPort
| Query Name: non_standard_dest_portHeader Type: Custom |
PanOSNSSAINetworkSliceDifferentiator
| Query Name: nssai_network_slice_differentiator.valueHeader Type: Custom |
PanOSNSSAINetworkSliceType
| Query Name: nssai_network_slice_type.valueHeader Type: Custom |
deviceOutboundInterface
| |
PanOSOutboundInterfaceDetailsPort
| Query Name: outbound_if_details.portHeader Type: Custom |
PanOSOutboundInterfaceDetailsSlot
| Query Name: outbound_if_details.slotHeader Type: Custom |
PanOSOutboundInterfaceDetailsType
| Query Name: outbound_if_details.type.valueHeader Type: Custom |
PanOSOutboundInterfaceDetailsUnit
| Query Name: outbound_if_details.unitHeader Type: Custom |
PanOSPacketsDroppedMax
| Query Name: packets_dropped_max_encapHeader Type: Custom |
cfp2
| Query Name: packets_dropped_strict_checkHeader Type: PredefinedLabel: cfp2LabelLabel Text: PacketsDroppedStrict |
PanOSPacketsDroppedTunnel
| Query Name: packets_dropped_tunnel_fragHeader Type: Custom |
cfp1
| Query Name: packets_dropped_ukn_protoHeader Type: PredefinedLabel: cfp1LabelLabel Text: PacketsDroppedProtocol |
PanOSPacketsReceived
| Query Name: packets_receivedHeader Type: Custom |
PanOSPacketsSent
| Query Name: packets_sentHeader Type: Custom |
cn2
| |
PanOSPanoramaSN
| Query Name: panorama_serialHeader Type: Custom |
PanOSParentSessionID
| Query Name: parent_session_idHeader Type: Custom |
PanOSParentStarttime
| Query Name: parent_start_timeHeader Type: Custom |
PanOSProtocolDataUnitsessionID
| Query Name: pdu_session_idHeader Type: Custom |
PlatformType
| Query Name: platform_typeHeader Type: Custom |
PanOSContainerName
| Query Name: pod_nameHeader Type: Custom |
PanOSContainerNameSpace
| Query Name: pod_namespaceHeader Type: Custom |
proto
| |
PanOSRadioAccessTechnology
| Query Name: radio_access_technologyHeader Type: Custom |
PanOSApplicationRisk
| Query Name: risk_of_appHeader Type: Custom |
cs1
| |
PanOSRuleUUID
| Query Name: rule_matched_uuidHeader Type: Custom |
PanOSSanctionedStateofApp
| Query Name: sanctioned_state_of_appHeader Type: Custom |
externalId
| |
PanOSSessionOwnerMidx
| Query Name: sess_owner_rt_midxHeader Type: Custom |
reason
| |
cn1
| |
PanOSSessionStartTime
| Query Name: session_start_timeHeader Type: Custom |
PanOSSessionTracker
| Query Name: session_trackerHeader Type: Custom |
PanOSSeverity
| Query Name: severityHeader Type: Custom |
PanOSSourceDeviceClass
| Query Name: source_device_classHeader Type: Custom |
PanOSSourceDeviceMac
| Query Name: source_device_macHeader Type: Custom |
PanOSSourceDeviceModel
| Query Name: source_device_modelHeader Type: Custom |
PanOSSourceDeviceOS
| Query Name: source_device_osHeader Type: Custom |
PanOSSourceDeviceVendor
| Query Name: source_device_vendorHeader Type: Custom |
PanOSSourceDynamicAddressGroup
| Query Name: source_dynamic_address_groupHeader Type: Custom |
PanOSSourceEDL
| Query Name: source_edlHeader Type: Custom |
src or c6a2
| Query Name: source_ip.valueHeader Type: PredefinedLabel: || c6a2LabelLabel Text: || Source IPv6 Address |
PanOSSourceLocation
| Query Name: source_locationHeader Type: Custom |
spt
| Query Name: source_portHeader Type: Predefined |
suser
| |
sntdom
| |
suser
| |
suid
| |
PanOSSourceUUID
| Query Name: source_uuidHeader Type: Custom |
PanOSStandardPortsOfApp
| Query Name: standard_ports_of_appHeader Type: Custom |
Name
| Query Name: sub_type.valueHeader Type: Custom |
PanOSApplicationTechnology
| Query Name: technology_of_appHeader Type: Custom |
start
| Query Name: time_generatedHeader Type: Predefined |
PanOSTimeGeneratedHighResolution
| Query Name: time_generated_high_resHeader Type: Custom |
cs5
| |
cn3
| |
cs2
| Query Name: tunnel.valueHeader Type: PredefinedLabel: cs2LabelLabel Text: TunnelMax Length: 4000 |
PanOSTunnelCauseCode
| Query Name: tunnel_cause_codeHeader Type: Custom |
PanOSTunnelEndpointID1
| Query Name: tunnel_endpoint_id_1Header Type: Custom |
PanOSTunnelEndpointID2
| Query Name: tunnel_endpoint_id_2Header Type: Custom |
PanOSTunnelEventCode
| Query Name: tunnel_event_codeHeader Type: Custom |
PanOSTunnelEventType
| Query Name: tunnel_event_typeHeader Type: Custom |
PanOSTunnelInspectionRule
| Query Name: tunnel_inspection_ruleHeader Type: Custom |
PanOSTunnelInterface
| Query Name: tunnel_interfaceHeader Type: Custom |
PanOSTunnelMessageType
| Query Name: tunnel_message_typeHeader Type: Custom |
PanOSTunnelRemoteIMSIID
| Query Name: tunnel_remote_imsi_idHeader Type: Custom |
PanOSTunnelRemoteUserIP
| Query Name: tunnel_remote_user_ip.valueHeader Type: Custom |
cfp4
| Query Name: tunnel_sessions_closedHeader Type: PredefinedLabel: cfp4LabelLabel Text: TunnelSessionsClosed |
cfp3
| Query Name: tunnel_sessions_createdHeader Type: PredefinedLabel: cfp3LabelLabel Text: TunnelSessionsCreated |
PanOSTunneledApplication
| Query Name: tunneled_appHeader Type: Custom |
PanOSIMSI
| Query Name: tunnelid_imsiHeader Type: Custom |
PanOSURLCategory
| Query Name: url_category.valueHeader Type: Custom |
PanOSUsers
| Query Name: usersHeader Type: Custom |
Device Vendor
| Query Name: vendor_nameHeader Type: Custom |
PanOSVendorSeverity
| Query Name: vendor_severity.valueHeader Type: Custom |
cs3
| Query Name: vsysHeader Type: PredefinedLabel: cs3LabelLabel Text: VirtualLocationMax Length: 4000 |
PanOSVirtualSystemID
| Query Name: vsys_idHeader Type: Custom |
PanOSVirtualSystemName
| Query Name: vsys_nameHeader Type: Custom |