GTP Log Fields
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
GTP Log Fields
Format: FUTURE_USE, Receive Time, Serial Number,
Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address,
Destination Address, FUTURE_USE, FUTURE_USE, Rule Name, FUTURE_USE,
FUTURE_USE, Application, Virtual System, Source Zone, Destination
Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE,
Session ID, FUTURE_USE, Source Port, Destination Port, FUTURE_USE,
FUTURE_USE, FUTURE_USE, Protocol, Action, GTP Event Type, MSISDN,
Access Point Name, Radio Access Technology, GTP Message Type, End User
IP Address, Tunnel Endpoint Identifier1, Tunnel Endpoint Identifier2,
GTP Interface, GTP Cause, Severity, Serving Country MCC, Serving
Network MNC, Area Code, Cell ID, GTP Event Code, FUTURE_USE, FUTURE_USE,
Source Location, Destination Location, FUTURE_USE, FUTURE_USE, FUTURE_USE,
FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, Tunnel ID/IMSI,
Monitor Tag/IMEI, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE,
FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE,
FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE, FUTURE_USE,
Start Time, Elapsed Time, Tunnel Inspection Rule, Remote User IP,
Remote User ID, UUID for rule, PCAP ID, High Resolution Timestamp,
A Slice Service Type, A Slice Differentiator, Application Subcategory,
Application Category, Application Technology, Application Risk,
Application Characteristic, Application Container, Application SaaS, Application
Sanctioned State
Field Name | Description |
---|---|
Receive Time (receive_time or cef-formatted-receive_time) | Month, Day and time the log was received
at the management plane. |
Serial Number (serial) | Serial number of the firewall that generated
the log. |
Type (type) | Specifies the type of log; value is GTP. |
Threat/Content Type (subtype) | Subtype of traffic log; values are start,
end, drop, and deny
|
Generated Time (time_generated or cef-formatted-time_generated) | Time the log was generated on the dataplane. |
Source Address (src) | Source IP address of packets in the session. |
Destination Address (dst) | Destination IP address of packets in the
session. |
Rule Name (rule) | Name of the Security policy rule in effect
on the session. |
Application (app) | Tunneling protocol used in the session. |
Virtual System (vsys) | Virtual System associated with the session. |
Source Zone (from) | Source zone of packets in the session. |
Destination Zone (to) | Destination zone of packets in the session. |
Inbound Interface (inbound_if) | Interface that the session was sourced from. |
Outbound Interface (outbound_if) | Interface that the session was destined
to. |
Log Action (logset) | Log Forwarding Profile that was applied
to the session. |
Session ID (sessionid) | Session ID of the session being logged. |
Source Port (sport) | Source port utilized by the session. |
Destination Port (dport) | Destination port utilized by the session. |
IP Protocol (proto) | IP protocol associated with the session. |
Action (action) | Action taken for the session; possible values
are:
|
GTP Event Type (event_type) | Defines event triggered by a GTP message
when checks in GTP protection profile are applied to the GTP traffic.
Also triggered by the start or end of a GTP session. |
MSISDN (msisdn) | Service identity associated with the mobile
subscriber composed of a Country Code, National Destination Code
and a Subscriber. Consists of decimal digits (0-9) only with a maximum
of 15 digits. |
Access Point Name (apn) | Reference to a Packet Data Network Data
Gateway (PGW)/ Gateway GPRS Support Node in a mobile network. Composed
of a mandatory APN Network Identifier and an optional APN Operator
Identifier. |
Radio Access Technology (rat) | Type of technology used for radio access.
For example, EUTRAN, WLAN, Virtual, HSPA Evolution, GAN and GERAN. |
GTP Message Type (msg_type) | Indicates the GTP message type. |
End IP Address (end_ip_adr) | IP address of a mobile subscriber allocated
by a PGW/GGSN. |
Tunnel Endpoint Identifier1 (teid1) | Identifies the GTP tunnel in the network
node. TEID1 is the first TEID in the GTP message. |
Tunnel Endpoint Identifier2 (teid2) | Identifies the GTP tunnel in the network
node. TEID2 is the second TEID in the GTP message. |
GTP Interface (gtp_interface) | 3GPP interface from which a GTP message
is received. |
GTP Cause (cause_code) | GTP cause value in logs responses which
contain an Information Element that provides information about acceptance
or rejection of GTP requests by a network node. |
Severity (severity) | Severity associated with the event; values
are informational, low, medium, high, critical. |
Serving Network MCC (mcc) | Mobile country code of serving core network
operator. |
Serving Network MNC (mnc) | Mobile network code of serving core network
operator. |
Area Code (area_code) | Area within a Public Land Mobile Network
(PLMN). |
Cell ID (cell_id) | Base station within an area code. |
GTP Event Code (event_code) | Event code describing the GTP event. |
Source Location (srcloc) | Source country or Internal region for private addresses; maximum length is 32 bytes. |
Destination Location (dstloc) | Destination country or Internal
region for private addresses; maximum length is 32 bytes. |
Tunnel ID/IMSI (imsi) | International Mobile Subscriber
Identity (IMSI) is a unique number allocated to each mobile subscriber
in the GSM/UMTS/EPS system. IMSI shall consist of decimal digits
(0 through 9) only and maximum number of digits allowed are 15. |
Monitor Tag/IMEI (imei) | International Mobile Equipment
Identity (IMEI) is a unique 15 or 16 digit number allocated to each
mobile station equipment. |
Start Time (start) | Time of session start. |
Elapsed Time (elapsed) | Elapsed time of the session. |
Tunnel Inspection Rule (tunnel_insp_rule) | Name of the tunnel inspection rule matching the cleartext tunnel traffic |
Remote User IP (remote_user_ip) | IPv4 or IPv6 address used by a remote user. |
Remote User ID (remote_user_id) | IMSI identity of a remote user, and if available,
one IMEI identity and/or one MSISDN identity. |
UUID for rule (rule_uuid) | Universally Unique ID for rule. |
PCAP ID (pcap_id) | Unique packet capture ID that is used to
locate the pcap file saved on the firewall. |
High Resolution Timestamp (high_res_timestamp) | Time in milliseconds the log was received
at the management plane. The format for this new field is
YYYY-MM-DDThh:ss:sssTZD:
The
High Resolution Timestamp is supported for logs received from managed
firewalls running PAN-OS 11.0 and later releases. Logs received
from managed firewalls running PAN-OS 9.1 and earlier releases display
a 1969-12-31T16:00:00:000-8:00 timestamp
regardless of when the log was received. |
A Slice Service Type (nsdsai_sst) | The A Slice Service Type of the Network
Slice ID. |
A Slice Differentiator (nsdsai_sd) | The A Slice Differentiator of the Network
Slice ID. |
Application Subcategory (subcategory_of_app) | The application subcategory specified in
the application configuration properties. |
Application Category (category_of_app) | The application category specified in the
application configuration properties. Values are:
|
Application Technology (technology_of_app) | The application technology specified in
the application configuration properties. Values are:
|
Application Risk (risk_of_app) | Risk level associated with the application
(1=lowest to 5=highest). |
Application Characteristic (characteristic_of_app) | Comma-separated list of applicable characteristic
of the application |
Application Container (container_of_app) | The parent application for an application. |
Application SaaS (is_saas_of_app) | Displays 1 if
a SaaS application or 0 if not a SaaS
application. |
Application Sanctioned State (sanctioned_state_of_app) | Displays 1 if
application is sanctioned or 0 if application
is not sanctioned. |
Application Subcategory (subcategory_of_app) | The application subcategory specified in
the application configuration properties. |