>
    Strata Copilot
    SD-WAN Traffic
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Log Reference
    4. Network Logs
    5. SD-WAN Traffic
    Download PDF
    Strata Logging Service

    SD-WAN Traffic

    Table of Contents

    SD-WAN Traffic

    SD-WAN traffic logs listed and explained with their display name and descriptions.
    The SD-WAN Traffic logs for Prisma SD-WAN contain information about traffic flows processed by ION devices. Each log entry includes details of the security action, the identified application, the user information, and the key network characteristics for every traffic flow.
    SD-WAN Traffic Field
    (Display Name)
    Description
    action.​value
    (ACTION)
    Identifies the action that the firewall took for the network traffic.
    app
    (APPLICATION)
    Application associated with the network traffic.
    app_category
    (APPLICATION CATEGORY)
    Identifies the high-level family of the application.
    app_sub_category
    (APPLICATION SUBCATEGORY)
    Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in category_of_app.
    bytes_received
    (BYTES RECEIVED)
    Number of bytes in the server-to-client network traffic.
    bytes_sent
    (BYTES SENT)
    Number of bytes in the client-to-server network traffic.
    characteristics_of_app
    (APPLICATION CHARACTERISTICS)
    Identifies the behavioural characteristic of the application associated with the network traffic.
    container_of_app
    (APPLICATION CONTAINER)
    Identifies the managing application or parent of the application associated with this network traffic.
    customer_id
    (TENANT ID)
    The ID that uniquely identifies the Strata Logging Service instance which received this log record.
    dest_ip.​value
    (DESTINATION ADDRESS)
    Original destination IP address.
    dest_port
    (DESTINATION PORT)
    Network traffic's destination port. If this value is 0, then the app is using its standard port.
    dest_user_info.domain
    (DESTINATION USER DOMAIN)
    Domain to which the Destination User belongs.
    dest_user_info.name
    (DESTINATION USER NAME)
    The Destination User. That is, the username to which the network traffic was destined.
    dest_user_info.uuid
    (DESTINATION USER UUID)
    Unique identifier assigned to the Destination User.
    from_zone
    (FROM ZONE)
    The networking zone from which the traffic originated.
    inbound_I
    (INBOUND INTERFACE)
    Interface from which the network traffic was sourced.
    is_client_to_server
    (IS CLIENT TO SERVER)
    Indicates if direction of traffic is from client to server.
    is_ipv6
    (IS IPV6)
    Indicates whether IPV6 was used for the session.
    is_saas_app
    (IS SAAS APPLICATION)
    Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
    log_source
    (PLATFORM TYPE)
    Identifies the origin of the data. That is, the system that produced the data.
    log_source_group_id
    (LOG SOURCE GROUP ID)
    ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
    log_source_id
    (DEVICE SN)
    ID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
    log_source_name
    (DEVICE NAME)
    Name of the source of the log. That is, the hostname of the firewall that logged the network traffic.
    log_source_tz_offset
    (LOG SOURCE TIMEZONE OFFSET)
    Time Zone offset from GMT of the source of the log.
    log_time
    (TIME RECEIVED)
    Time the log was received in Strata Logging Service. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    log_type.value
    (LOG TYPE)
    Identifies the log type.
    outbound_I
    (OUTBOUND INTERFACE)
    Interface to which the network traffic was destined.
    packets_received
    (PACKETS RECEIVED)
    Number of server-to-client packets for the session.
    packets_sent
    (PACKETS SENT)
    Number of client-to-server packets for the session.
    path.value
    (PATH VALUE)
    Circuit Information.
    path_label
    (PATH LABEL)
    WAN path label for a given outbound wan path.
    platform_type
    (PLATFORM TYPE)
    The platform type.
    prisma_sdwan_element_name
    (PRISMA SDWAN ELEMENT NAME)
    Prisma SD-WAN element name.
    prisma_sdwan_site_name
    (PRISMA SDWAN SITE NAME)
    Prisma SDWAN site name.
    protocol.value
    (PROTOCOL)
    		IP protocol associated with the session. TCP, UDP, or other protocols.
    risk_of_app
    (APPLICATION RISK)
    Indicates how risky the application is from a network security perspective.
    rule_matched
    (RULE MATCHED)
    Name of the security policy rule that the network traffic matched.
    rule_matched_uuid
    (RULE MATCHED UUID)
    Unique identifier for the security policy rule that the network traffic matched.
    sanctioned_state_of_app
    (SANCTIONED STATE OF APP)
    Indicates whether the application has been flagged as sanctioned by the firewall administrator.
    session_end_reason.value
    (SESSION END REASON)
    The reason a session terminated.
    session_id
    (SESSION ID)
    Identifies the flow session id.
    session_start_time
    (SESSION START TIME)
    Time when the session was established. The format is YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
    source_device_category
    (SOURCE DEVICE CATEGORY)
    Category of the device from which the session originated.
    source_device_class
    (SOURCE DEVICE CLASS)
    Source device class.
    source_device_host
    (SOURCE DEVICE HOST)
    Hostname of the device from which the session originated.
    source_device_mac
    (SOURCE DEVICE MAC)
    MAC Address of the device from which the session originated.
    source_device_model
    (SOURCE DEVICE MODEL)
    Model of the device from which the session originated.
    source_device_os
    (SOURCE DEVICE OS)
    Source device OS type.
    source_device_osfamily
    (SOURCE DEVICE OS FAMILY)
    OS family of the device from which the session originated.
    source_device_osversion
    (SOURCE DEVICE OS VERSION)
    OS version of the device from which the session originated.
    source_device_profile
    (SOURCE DEVICE PROFILE)
    Profile of the device from which the session originated.
    source_device_vendor
    (SOURCE DEVICE VENDOR)
    Vendor of the device from which the session originated.
    source_ip.value
    (SOURCE ADDRESS)
    Original source IP address of the session.
    source_port
    (SOURCE PORT)
    Source port utilized by the session.
    source_user
    (SOURCE USER NAME)
    The username of the source user.
    source_user_info.domain
    (SOURCE USER DOMAIN)
    		The domain of the source user.
    source_user_info.name
    (SOURCE USER INFO)
    The name of the source user.
    source_user_info.uuid
    (SOURCE USER UUID)
    A unique identifier assigned to the source user.
    sub_type.value
    (SUBTYPE)
    Identifies the log subtype.
    technology_of_app
    (APPLICATION TECHNOLOGY)
    		The networking technology used by the identified application.
    time_generated
    (TIME GENERATED)
    Time when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
    time_generated_high_res
    (TIME GENERATED HIGH RESOLUTION)
    Time the log was generated in data plane with millisec granularity in format YYYY-MMDDTHH:MM:SS[.DDDDDD]Z.
    to_zone
    (TO ZONE)
    The networking zone to which the traffic was sent.
    total_time_elapsed
    (SESSION DURATION)
    The total time taken for the network session to complete.
    traffic_class
    (TRAFFIC CLASS)
    Traffic class
    url_category.value
    (URL CATEGORY)
    		The URL category associated with the session.
    vendor_name
    (VENDOR NAME)
    Identifies the vendor that produced the data.

    © 2025 Palo Alto Networks, Inc. All rights reserved.