Traffic Logs
Focus
Focus

Traffic Logs

Table of Contents

Traffic Logs

Traffic logs display an entry for the start and end of each session. Each entry includes the following information: date and time; source and destination zones, source and destination dynamic address groups, addresses and ports; application name; security rule applied to the traffic flow; rule action (allow, deny, or drop); ingress and egress interface; number of bytes; and session end reason.
A dynamic address group only appears in a log if the rule the traffic matches includes a dynamic address group. If an IP address appears in more than one dynamic address group, the firewall displays up to five dynamic address groups in logs along with the source IP address
The Type column indicates whether the entry is for the start or end of the session. The Action column indicates whether the firewall allowed, denied, or dropped the session. A drop indicates the security rule that blocked the traffic specified any application, while a deny indicates the rule identified a specific application. If the firewall drops traffic before identifying the application, such as when a rule drops all traffic for a specific service, the Application column displays not-applicable.
Click
beside an entry to view additional details about the session, such as whether an ICMP entry aggregates multiple sessions between the same source and destination (in which case the Count column value is greater than one).
When the Decryption log introduced in PAN-OS 11.1 is disabled, the firewall sends HTTP/2 logs as Traffic logs. However, when the Decryption logs are enabled, the firewall sends HTTP/2 logs as Tunnel Inspection logs (when Decryption logs are disabled, HTTP/2 logs are sent as Traffic logs), so you need to check the Tunnel Inspection logs instead of the Traffic logs for HTTP/2 events.