>
    Log Types and Severity Levels
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Monitoring
    4. View and Manage Logs
    5. Log Types and Severity Levels
    Download PDF
    Next-Generation Firewall

    Log Types and Severity Levels

    Table of Contents

    Log Types and Severity Levels

    Where Can I Use This?What Do I Need?
    • NGFW (Managed by PAN-OS or Panorama)
    • Support license
    • (Panorama) Device management license
    You can see the following log types in the MonitorLogs pages.

    Log Types and Severity Levels

    Use the MonitorLogs pages to view logs. You can view the following logs:

    Traffic Logs

    Traffic logs display an entry for the start and end of each session. Each entry includes the following information: date and time; source and destination zones, source and destination dynamic address groups, addresses and ports; application name; security rule applied to the traffic flosecw; rule action (allow, deny, or drop); ingress and egress interface; number of bytes; and session end reason.
    A dynamic address group only appears in a log if the rule the traffic matches includes a dynamic address group. If an IP address appears in more than one dynamic address group, the firewall displays up to five dynamic address groups in logs along with the source IP address
    The Type column indicates whether the entry is for the start or end of the session. The Action column indicates whether the firewall allowed, denied, or dropped the session. A drop indicates the security rule that blocked the traffic specified any application, while a deny indicates the rule identified a specific application. If the firewall drops traffic before identifying the application, such as when a rule drops all traffic for a specific service, the Application column displays not-applicable.
    Click
    beside an entry to view additional details about the session, such as whether an ICMP entry aggregates multiple sessions between the same source and destination (in which case the Count column value is greater than one).
    When the Decryption log introduced in PAN-OS 11.1 is disabled, the firewall sends HTTP/2 logs as Traffic logs. However, when the Decryption logs are enabled, the firewall sends HTTP/2 logs as Tunnel Inspection logs (when Decryption logs are disabled, HTTP/2 logs are sent as Traffic logs), so you need to check the Tunnel Inspection logs instead of the Traffic logs for HTTP/2 events.

    Threat Logs

    Threat logs display entries when traffic matches one of the Security Profiles attached to a security rule on the firewall. Each entry includes the following information: date and time; type of threat (such as virus or spyware); threat description or URL (Name column); source and destination zones, addresses, source and destination dynamic address groups, and ports; application name; alarm action (such as allow or block); and severity level.
    A dynamic address group only appears in a log if the rule the traffic matches includes a dynamic address group. If an IP address appears in more than one dynamic address group, the firewall displays up to five dynamic address groups in logs along with the source IP address
    To see more details on individual Threat log entries:
    • Click
      beside a threat entry to view details such as whether the entry aggregates multiple threats of the same type between the same source and destination (in which case the Count column value is greater than one).
    • If you configured the firewall to Take Packet Captures, click
      beside an entry to access the captured packets.
    The following table summarizes the Threat severity levels:
    Severity
    Description
    Critical
    Serious threats, such as those that affect default installations of widely deployed software, result in root compromise of servers, and the exploit code is widely available to attackers. The attacker usually does not need any special authentication credentials or knowledge about the individual victims and the target does not need to be manipulated into performing any special functions.
    High
    Threats that have the ability to become critical but have mitigating factors; for example, they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim pool.
    WildFire Submissions log entries with a malicious verdict and an action set to allow are logged as High.
    Medium
    Minor threats in which impact is minimized, such as DoS attacks that do not compromise the target or exploits that require an attacker to reside on the same LAN as the victim, affect only non-standard configurations or obscure applications, or provide very limited access.
    • Threat log entries with a malicious verdict and an action of block or alert, based on the existing WildFire signature severity, are logged as Medium.
    Low
    Warning-level threats that have very little impact on an organization's infrastructure. They usually require local or physical system access and may often result in victim privacy or DoS issues and information leakage.
    • Data Filtering profile matches are logged as Low.
    • WildFire Submissions log entries with a grayware verdict and any action are logged as Low.
    Informational
    Suspicious events that do not pose an immediate threat, but that are reported to call attention to deeper problems that could possibly exist.
    • URL Filtering log entries are logged as Informational.
    • WildFire Submissions log entries with a benign verdict and any action are logged as Informational.
    • WildFire Submissions log entries with any verdict and an action set to block and forward are logged as Informational.
    • Log entries with any verdict and an action set to block are logged as Informational.

    URL Filtering Logs

    URL filtering logs (MonitorLogsURL Filtering) display comprehensive information about traffic to URL categories monitored in Security policy rules. Attributes or properties recorded for each session include receive time, category, URL, from zone, to zone, source, and source user. You can customize your log view so that only the attributes you are most interested in display. The firewall generates URL filtering log entries in the following cases, with exceptions noted:
    • Traffic matches a Security policy rule with a URL category as match criteria. The rule enforces one of the following actions on the traffic: deny, drop, or reset (client, server, both).
      URL filtering logs are only generated when an action results from a URL category match. If you have Security policy rules with applications as match criteria, a URL can be blocked due to an application (App-ID) rather than a URL category match. This behavior depends on how packets in the session are parsed.
      For example, suppose you have a Security policy rule that blocks the social-networking category and another rule that blocks a specific social media application. Traffic to the social media website could result in a Security policy lookup that hits an App-ID rule instead of a URL filtering rule. In this case, a URL filtering log isn't generated.
    • Traffic matches a Security policy rule with a URL Filtering profile attached. Site Access for categories in the profile is set to alert, block, continue, or override.
    By default, categories set to allow do not generate URL filtering log entries. The exception is if you configure log forwarding.
    If you want the firewall to log traffic to categories that you allow but would like more visibility into, set Site Access for these categories to alert in your URL Filtering profiles.

    WildFire Submissions Logs

    The firewall forwards samples (files and emails links) to the WildFire cloud for analysis based on WildFire Analysis profiles settings (ObjectsSecurity ProfilesWildFire Analysis). The firewall generates WildFire Submissions log entries for each sample it forwards after WildFire completes static and dynamic analysis of the sample. WildFire Submissions log entries include the firewall Action for the sample (allow or block), the WildFire verdict for the submitted sample, and the severity level of the sample.
    The following table summarizes the WildFire verdicts:
    Verdict
    Description
    Benign
    Indicates that the entry received a WildFire analysis verdict of benign. Files categorized as benign are safe and do not exhibit malicious behavior.
    Grayware
    Indicates that the entry received a WildFire analysis verdict of grayware. Files categorized as grayware do not pose a direct security threat, but might display otherwise obtrusive behavior. Grayware can include, adware, spyware, and Browser Helper Objects (BHOs).
    Phishing
    Indicates that WildFire assigned a link an analysis verdict of phishing. A phishing verdict indicates that the site to which the link directs users displayed credential phishing activity.
    Malicious
    Indicates that the entry received a WildFire analysis verdict of malicious. Samples categorized as malicious are can pose a security threat. Malware can include viruses, C2 (command-and-control), worms, Trojans, Remote Access Tools (RATs), rootkits, and botnets. For samples that are identified as malware, the WildFire cloud generates and distributes a signature to prevent against future exposure.
    C2 samples are classified as C2 in the WildFire analysis report and other Palo Alto Networks products that rely on WildFire analysis data; however, that verdict is translated and categorized as malicious by the firewall.

    Data Filtering Logs

    Data Filtering logs display entries for the security rules that help prevent sensitive information such as credit card numbers from leaving the area that the firewall protects. See Data Filtering for information on defining Data Filtering profiles.
    This log type also shows information for File Blocking Profiles. For example, if a rule blocks .exe files, the log shows the blocked files.

    Correlation Logs

    The firewall logs a correlated event when the patterns and thresholds defined in a Correlation Object match the traffic patterns on your network. To Interpret Correlated Events and view a graphical display of the events, see Use the Compromised Hosts Widget in the ACC.
    The following table summarizes the Correlation log severity levels:
    Severity
    Description
    Critical
    Confirms that a host has been compromised based on correlated events that indicate an escalation pattern. For example, a critical event is logged when a host that received a file with a malicious verdict by WildFire, exhibits the same command-and control activity that was observed in the WildFire sandbox for that malicious file.
    High
    Indicates that a host is very likely compromised based on a correlation between multiple threat events, such as malware detected anywhere on the network that matches the command and control activity being generated from a particular host.
    Medium
    Indicates that a host is likely compromised based on the detection of one or multiple suspicious events, such as repeated visits to known malicious URLs that suggests a scripted command-and-control activity.
    Low
    Indicates that a host is possibly compromised based on the detection of one or multiple suspicious events, such as a visit to a malicious URL or a dynamic DNS domain.
    Informational
    Detects an event that may be useful in aggregate for identifying suspicious activity; each event is not necessarily significant on its own.

    Tunnel Inspection Logs

    Tunnel inspection logs are like traffic logs for tunnel sessions; they display entries of non-encrypted tunnel sessions. To prevent double counting, the firewall saves only the inner flows in traffic logs, and sends tunnel sessions to the tunnel inspection logs. The tunnel inspection log entries include Receive Time (date and time the log was received), the tunnel ID, monitor tag, session ID, the Security rule applied to the tunnel session, number of bytes in the session, parent session ID (session ID for the tunnel session), source address, source user and source zone, destination address, destination user, and destination zone.
    When the decryption logs introduced in PAN-OS 11.1 are enabled, the firewall sends HTTP/2 logs as Tunnel Inspection logs (when decryption logs are disabled, HTTP/2 logs are sent as Traffic logs), so you need to check the Tunnel Inspection logs instead of the Traffic logs for HTTP/2 events.
    Click the Detailed Log view to see details for an entry, such as the tunnel protocol used, and the flag indicating whether the tunnel content was inspected or not. Only a session that has a parent session will have the Tunnel Inspected flag set, which means the session is in a tunnel-in-tunnel (two levels of encapsulation). The first outer header of a tunnel will not have the Tunnel Inspected flag set.

    Config Logs

    Config logs display entries for changes to the firewall configuration. Each entry includes the date and time, the administrator username, the IP address from where the administrator made the change, the type of client (Web, CLI, or Panorama), the type of command executed, the command status (succeeded or failed), the configuration path, and the values before and after the change.

    System Logs

    System logs display entries for each system event on the firewall. Each entry includes the date and time, event severity, and event description. The following table summarizes the System log severity levels. For a partial list of System log messages and their corresponding severity levels, refer to System Log Events.
    Severity
    Description
    Critical
    Hardware failures, including high availability (HA) failover and link failures.
    High
    Serious issues, including dropped connections with external devices, such as LDAP and RADIUS servers.
    Medium
    Mid-level notifications, such as antivirus package upgrades.
    Low
    Minor severity notifications, such as user password changes.
    Informational
    Log in/log off, administrator name or password change, any configuration change, and all other events not covered by the other severity levels.

    HIP Match Logs

    The GlobalProtect Host Information Profile (HIP) matching enables you to collect information about the security status of the end devices accessing your network (such as whether they have disk encryption enabled). The firewall can allow or deny access to a specific host based on adherence to the HIP-based security rules you define. HIP Match logs display traffic flows that match a HIP Object or HIP Profile that you configured for the rules.

    GlobalProtect Logs

    GlobalProtect logs display the following logs related to GlobalProtect:
    • GlobalProtect system logs.
      GlobalProtect authentication event logs remain in Monitor LogsSystem; however, the Auth Method column of the GlobalProtect logs display the authentication method used for logins.
    • LSVPN/satellite events.
    • GlobalProtect portal and gateway logs.
    • Clientless VPN logs.

    IP-Tag Logs

    IP-tag logs display how and when a source IP address is registered or unregistered on the firewall and what tag the firewall applied to the address. Additionally, each log entry displays the configured timeout (when configured) and the source of the IP address-to-tag mapping information, such as User-ID agent VM information sources and auto-tagging. See how to Register IP Address and Tags Dynamically for more information.

    User-ID Logs

    User-ID logs display information about IP address-to-username mappings and Authentication Timestamps, such as the sources of the mapping information and the times when users authenticated. You can use this information to help troubleshoot User-ID and authentication issues. For example, if the firewall is applying the wrong policy rule for a user, you can view the logs to verify whether that user is mapped to the correct IP address and whether the group associations are correct.

    Decryption Logs

    Decryption logs provide a detailed record of failed or successful decryption sessions on your network. By default, your Next-Generation Firewall (NGFW) only generates decryption logs for unsuccessful TLS handshakes. For full visibility into decryption activity, you can log successful TLS handshakes. However, ensure your system has enough resources (log space) to handle the increased volume of logs.
    Monitoring decryption logs helps you understand decryption activity and troubleshoot decryption issues. These logs are comprehensive, with over 62 columns of information that fall into the following categories:
    • Session and Policy Rule Details—Information about the traffic, including the source and destination IP addresses, the user who initiated the session, the specific decryption policy rule that was applied to the traffic, and the type of decryption performed.
    • Certificate Details—Information about the certificate used in the session, including the subject common name, issuer common name, root common name, root status, certificate key type and size, certificate start and end date, certificate serial number, and certificate fingerprint.
    • TLS Connection Details—Information about the parameters used to establish the session, including the negotiated TLS version, key exchange algorithm, encryption algorithm, authentication algorithms, elliptic curve (EC), and Server Name Indication (SNI).
    • Error Details—Error information related to certificates, ciphers, feature, hardware security modules (HSM), protocols, resources, session resumption, and TLS versions. Error indexes (codes) are also provided for easy lookup of more detailed error information.
    You can click the magnifying glass (
    ) for any log entry to view detailed session information in a consolidated view.
    NGFWs don't generate decryption logs for web traffic blocked during an SSL/TLS handshake. These sessions don't appear in decryption logs because the NGFW resets the SSL/TLS connection, which ends the handshake and prevents decryption. You can find details for these blocked sessions in your URL Filtering logs instead.
    Decryption logs are not supported for SSH Proxy traffic. In addition, certificate information isn’t available for session resumption logs.
    Starting with PAN-OS 12.1.2, decryption logs provide clearer insights into proxied connections. The logs differentiate between the client-side and server-side attributes of a session using "Client" and "Server" column headers. For example, the TLS version negotiated between the client and the firewall displays under the "Client" header, while the TLS version negotiated between the server and the firewall displays under the "Server" header.

    Alarms Logs

    An alarm is a firewall-generated message indicating that the number of events of a particular type (for example, encryption and decryption failures) has exceeded the threshold configured for that event type. To enable alarms and configure alarm thresholds, select DeviceLog Settings and edit the Alarm Settings.
    When generating an alarm, the firewall creates an Alarm log and opens the System Alarms dialog to display the alarm. After you Close the dialog, you can reopen it anytime by clicking Alarms
     ) at the bottom of the web interface. To prevent the firewall from automatically opening the dialog for a particular alarm, select the alarm in the Unacknowledged Alarms list and Acknowledge the alarm.

    Authentication Logs

    Authentication logs display information about authentication events that occur when end users try to access network resources for which access is controlled by Authentication Policy rules. You can use this information to help troubleshoot access issues and to adjust your Authentication policy as needed. In conjunction with correlation objects, you can also use Authentication logs to identify suspicious activity on your network, such as brute force attacks.
    Optionally, you can configure Authentication rules to log timeout events. These timeouts relate to the period when a user need authenticate for a resource only once but can access it repeatedly. Seeing information about the timeouts helps you decide if and how to adjust them (for details, see Authentication Timestamps).
    System logs record authentication events relating to GlobalProtect and to administrator access to the web interface.

    Unified Logs

    Unified logs are entries from the Traffic, Threat, URL Filtering, WildFire Submissions, and Data Filtering logs displayed in a single view. Unified log view enables you to investigate and filter the latest entries from different log types in one place, instead of searching through each log type separately. Click Effective Queries (
    ) in the filter area to select which log types will display entries in Unified log view.
    The Unified log view displays only entries from logs that you have permission to see. For example, an administrator who does not have permission to view WildFire Submissions logs will not see WildFire Submissions log entries when viewing Unified logs. Administrative Role Types define these permissions.
    When you Set Up Remote Search in AutoFocus to perform a targeted search on the firewall, the search results are displayed in Unified log view.

    © 2025 Palo Alto Networks, Inc. All rights reserved.