Traffic Logs
Table of Contents
Traffic Logs
Traffic logs display an entry for the start and end
of each session. Each entry includes the following information:
date and time; source and destination zones, source and destination
dynamic address groups, addresses and ports; application name; security
rule applied to the traffic flow; rule action (allow, deny, or drop);
ingress and egress interface; number of bytes; and session end reason.
A dynamic address group only appears in a log if the rule
the traffic matches includes a dynamic address group. If an IP address
appears in more than one dynamic address group, the firewall displays
up to five dynamic address groups in logs along with the source
IP address
The Type column indicates whether the entry is for the start
or end of the session. The Action column indicates whether the firewall
allowed, denied, or dropped the session. A drop indicates the security
rule that blocked the traffic specified any application, while a
deny indicates the rule identified a specific application. If the
firewall drops traffic before identifying the application, such
as when a rule drops all traffic for a specific service, the Application
column displays not-applicable.
Click
![]()
beside an entry
to view additional details about the session, such as whether an
ICMP entry aggregates multiple sessions between the same source
and destination (in which case the Count column value is greater
than one).
When the Decryption log introduced in PAN-OS 11.1 is disabled,
the firewall sends HTTP/2 logs as Traffic logs. However, when the
Decryption logs are enabled, the firewall sends HTTP/2 logs as Tunnel
Inspection logs (when Decryption logs are disabled, HTTP/2 logs
are sent as Traffic logs), so you need to check the Tunnel Inspection
logs instead of the Traffic logs for HTTP/2 events.