Tunnel Inspection Log Fields
Format: FUTURE_USE, Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Inbound Interface, Outbound Interface, Log Action, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Severity, Sequence Number, Action Flags, Source Location, Destination Location, Device Group Hierarchy Level 1, Device Group Hierarchy Level 2, Device Group Hierarchy Level 3, Device Group Hierarchy Level 4, Virtual System Name, Device Name, Tunnel ID/IMSI, Monitor Tag/IMEI, Parent Session ID, Parent Start Time, Tunnel, Bytes, Bytes Sent, Bytes Received, Packets, Packets Sent, Packets Received, Maximum Encapsulation, Unknown Protocol, Strict Check, Tunnel Fragment, Sessions Created, Sessions Closed, Session End Reason, Action Source, Start Time, Elapsed Time, Tunnel Inspection Rule
Receive Time (receive_time or cef-formatted-receive_time)
Month, day, and time the log was received at the management plane.
Serial Number (serial)
Serial number of the firewall that generated the log.
Type of log as it pertains to the session: start or end.
Threat/Content Type (subtype)
Subtype of traffic log; values are start, end, drop, and deny
Generated Time (time_generated or cef-formatted-time_generated)
Time the log was generated on the dataplane.
Source Address (src)
Source IP address of packets in the session.
Destination Address (dst)
Destination IP address of packets in the session.
NAT Source IP (natsrc)
If Source NAT performed, the post-NAT Source IP address.
NAT Destination IP (natdst)
If Destination NAT performed, the post-NAT Destination IP address.
Rule Name (rule)
Name of the Security policy rule in effect on the session.
Source User (srcuser)
Source User ID of packets in the session.
Destination User (dstuser)
Destination User ID of packets in the session.
Tunneling protocol used in the session.
Virtual System (vsys)
Virtual System associated with the session.
Source Zone (from)
Source zone of packets in the session.
Destination Zone (to)
Destination zone of packets in the session.
Inbound Interface (inbound_if)
Interface that the session was sourced from.
Outbound Interface (outbound_if)
Interface that the session was destined to.
Log Action (logset)
Log Forwarding Profile that was applied to the session.
Session ID (sessionid)
Session ID of the session being logged.
Repeat Count (repeatcnt)
Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds.
Source Port (sport)
Source port utilized by the session.
Destination Port (dport)
Destination port utilized by the session.
NAT Source Port (natsport)
Post-NAT source port.
NAT Destination Port (natdport)
Post-NAT destination port.
32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value:
IP Protocol (proto)
IP protocol associated with the session.
Action taken for the session; possible values are:
Severity associated with the event; values are informational, low, medium, high, critical.
Sequence Number (seqno)
A 64-bit log entry identifier incremented sequentially; each log type has a unique number space. This field is not supported on PA-7000 Series firewalls.
Action Flags (actionflags)
A bit field indicating if the log was forwarded to Panorama.
Source Location (srcloc)
Source country or Internal region for private addresses; maximum length is 32 bytes.
Destination Location (dstloc)
Destination country or Internal region for private addresses. Maximum length is 32 bytes.
Device Group Hierarchy (dg_hier_level_1 to dg_hier_level_4)
A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure.
If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. To view the device group names that correspond to the value 12, 34 or 45, use one of the following methods:
CLI command in configure mode:
show readonly dg-meta-data
Virtual System Name (vsys_name)
The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems.
Device Name (device_name)
The hostname of the firewall on which the session was logged.
Tunnel ID (tunnelid)
ID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
Monitor Tag (monitortag)
Monitor name you configured for the Tunnel Inspection policy rule or the International Mobile Equipment Identity (IMEI) ID of the mobile device.
Parent Session ID (parent_session_id)
ID of the session in which this session is tunneled. Applies to inner tunnel (if two levels of tunneling) or inside content (if one level of tunneling) only.
Parent Start Time (parent_start_time)
Year/month/day hours:minutes:seconds that the parent tunnel session began.
Tunnel Type (tunnel)
Type of tunnel, such as GRE or IPSec.
Number of bytes in the session.
Bytes Sent (bytes_sent)
Number of bytes in the client-to-server direction of the session.
Bytes Received (bytes_received)
Number of bytes in the server-to-client direction of the session.
Number of total packets (transmit and receive) for the session.
Packets Sent (pkts_sent)
Number of client-to-server packets for the session.
Available on all models except the PA-4000 Series.
Packets Received (pkts_received)
Number of server-to-client packets for the session.
Available on all models except the PA-4000 Series.
Maximum Encapsulation (max_encap)
Number of packets the firewall dropped because the packet exceeded the maximum number of encapsulation levels configured in the Tunnel Inspection policy rule (Drop packet if over maximum tunnel inspection level).
Unknown Protocol (unknown_proto)
Number of packets the firewall dropped because the packet contains an unknown protocol, as enabled in the Tunnel Inspection policy rule (Drop packet if unknown protocol inside tunnel).
Strict Checking (strict_check)
Number of packets the firewall dropped because the tunnel protocol header in the packet failed to comply with the RFC for the tunnel protocol, as enabled in the Tunnel Inspection policy rule (
Drop packet if tunnel protocol fails strict header check).
Tunnel Fragment (tunnel_fragment)
Number of packets the firewall dropped because of fragmentation errors.
Sessions Created (sessions_created)
Number of inner sessions created.
Sessions Closed (sessions_closed)
Number of completed/closed sessions created.
Session End Reason (session_end_reason)
The reason a session terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest):
Action Source (action_source)
Specifies whether the action taken to allow or block an application was defined in the application or in policy. The actions can be allow, deny, drop, reset- server, reset-client or reset-both for the session.
Start Time (start)
Year/month/day hours:minutes:seconds that the session began.
Elapsed Time (elapsed)
Elapsed time of the session.
Tunnel Inspection Rule (tunnel_insp_rule)
Name of the tunnel inspection rule matching the cleartext tunnel traffic.