What Telemetry Data Does the Firewall Collect?

The firewall collects and forwards different sets of telemetry data to Palo Alto Networks based on the Telemetry settings you enable. The firewall collects the data from fields in your log entries (see Log Types and Severity Levels); the log type and combination of fields vary based on the setting. Review the following table before you Enable Telemetry.
Setting
Description
Application Reports
The number and size of known applications by destination port, unknown applications by destination port, and unknown applications by destination IP address. The firewall generates these reports from Traffic logs and forwards them every 4 hours.
Threat Prevention Reports
Attacker information, the number of threats for each source country and destination port, and the correlation objects that threat events triggered.The firewall generates these reports from Threat logs and forwards them every 4 hours.
URL Reports
URLs with the following PAN-DB URL categories: malware, phishing, dynamic DNS, proxy-avoidance, questionable, parked, and unknown (URLs that PAN-DB has not yet categorized). The firewall generates these reports from URL Filtering logs.
URL Reports also include PAN-DB statistics such as the version of the URL filtering database on the firewall and on the PAN-DB cloud, the number of URLs in those databases, and the number of URLs that the firewall categorized. These statistics are based on the time that the firewall forwarded the URL Reports.
The firewall forwards URL Reports every 4 hours.
File Type Identification Reports
Information about files that the firewall has blocked or allowed based on data filtering and file blocking settings. The firewall generates these reports from Data Filtering logs and forwards them every 4 hours.
Threat Prevention Data
Log data from threat events that triggered signatures that Palo Alto Networks is evaluating for efficacy. Threat Prevention Data provides Palo Alto Networks more visibility into your network traffic than other telemetry settings. When enabled, the firewall may collect information such as source or victim IP addresses.
Enabling Threat Prevention Data also allows unreleased signatures that Palo Alto Networks is currently testing to run in the background. These signatures do not affect your security policy rules and firewall logs, and have no impact to your firewall performance.
The firewall forwards Threat Prevention Data every 5 minutes.
Threat Prevention Packet Captures
Packet captures (if you have enabled your firewall to Take a Threat Packet Capture) of threat events that triggered signatures that Palo Alto Networks is evaluating for efficacy. Threat Prevention Packet Captures provide Palo Alto Networks more visibility into your network traffic than other telemetry settings. When enabled, the firewall may collect information such as source or victim IP addresses.
The firewall forwards Threat Prevention Packet Captures every 5 minutes.
Product Usage Statistics
Back traces of firewall processes that have failed, as well as information about the firewall status. Back traces outline the execution history of the failed processes. These reports include details about the firewall model and the PAN-OS and content release versions installed on your firewall.
The firewall forwards Product Usage Statistics every 5 minutes.
Passive DNS Monitoring
Domain-to-IP address mappings based on firewall traffic. When you enable Passive DNS Monitoring, the firewall acts as a passive DNS sensor and send DNS information to Palo Alto Networks for analysis.
The firewall forwards data from Passive DNS Monitoring in 1 MB batches.

Related Documentation