>
    Strata Copilot
    SD-WAN Traffic
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Logging Service
    3. Strata Logging Service Log Reference
    4. SD-WAN Logs
    5. SD-WAN Traffic
    Download PDF
    Strata Logging Service

    SD-WAN Traffic

    Table of Contents

    SD-WAN Traffic

    Each log entry includes details of the security action, the identified application, the user information, and the key network characteristics for every traffic flow.
    See the following for information related to supported log formats:
    SD-WAN TRAFFIC Field
    (Display Name)
    Description
    action.​value
    (ACTION)
    Identifies the action that the flow controller took for the network flow.
    CEF field name: act
    EMAIL field name: Action
    HTTPS field name: Action
    LEEF field name: Action
    app
    (APPLICATION)
    Application associated with the network traffic.
    CEF field name: app
    EMAIL field name: Application
    HTTPS field name: Application
    LEEF field name: Application
    app_category
    (APPLICATION CATEGORY)
    Identifies the high-level family of the application.
    CEF field name: PanOSApplicationCategory
    EMAIL field name: ApplicationCategory
    HTTPS field name: ApplicationCategory
    LEEF field name: ApplicationCategory
    app_sub_category
    (APPLICATION SUBCATEGORY)
    Identifies the application's subcategory. The subcategory is related to the application's category, which is identified in category_of_app.
    CEF field name: PanOSApplicationSubcategory
    EMAIL field name: ApplicationSubcategory
    HTTPS field name: ApplicationSubcategory
    LEEF field name: ApplicationSubcategory
    bytes_received
    (DSTBYTES)
    Number of bytes in the server-to-client network traffic.
    CEF field name: Predefined
    EMAIL field name: BytesReceived
    HTTPS field name: BytesReceived
    LEEF field name: dstBytes
    bytes_sent
    (SRCBYTES)
    Number of bytes in the client-to-server network traffic.
    CEF field name: Predefined
    EMAIL field name: BytesSent
    HTTPS field name: BytesSent
    LEEF field name: srcBytes
    characteristics_of_app
    (APPLICATION CHARACTERISTICS)
    Identifies the behavioral characteristic of the application associated with the network traffic.
    CEF field name: PanOSApplicationCharacteristics
    EMAIL field name: ApplicationCharacteristics
    HTTPS field name: ApplicationCharacteristics
    LEEF field name: ApplicationCharacteristics
    container_of_app
    (APPLICATION CONTAINER)
    Identifies the managing application or parent of the application associated with this network traffic.
    CEF field name: PanOSApplicationContainer
    EMAIL field name: ApplicationContainer
    HTTPS field name: ApplicationContainer
    LEEF field name: ApplicationContainer
    customer_id
    (CORTEX DATA LAKE TENANT ID)
    The ID that uniquely identifies the Cortex Data Lake instance which received this log record.
    CEF field name: PanOSCortexDataLakeTenantID
    EMAIL field name: CortexDataLakeTenantId
    HTTPS field name: CortexDataLakeTenantId
    LEEF field name: CortexDataLakeTenantId
    dest_ip.​value
    (DESTINATION IP)
    Original destination IP address.
    CEF field name: PanOSDestinationIP
    EMAIL field name: DestinationIP
    HTTPS field name: DestinationIP
    LEEF field name: DestinationIP
    dest_port
    (DESTINATION PORT)
    Network traffic's destination port. If this value is 0, then the app is using its standard port.
    CEF field name: dpt
    EMAIL field name: DestinationPort
    HTTPS field name: DestinationPort
    LEEF field name: dstPort
    dest_user_info.​domain
    (DESTINATION USER DOMAIN)
    CEF field name: PanOSDestinationUserDomain
    EMAIL field name: DestinationUserInfoDomain
    HTTPS field name: DestinationUserInfoDomain
    LEEF field name: DestinationUserInfoDomain
    dest_user_info.​name
    (DESTINATION USER NAME)
    CEF field name: PanOSDestinationUserName
    EMAIL field name: DestinationUserInfoName
    HTTPS field name: DestinationUserInfoName
    LEEF field name: DestinationUserInfoName
    dest_user_info.​uuid
    (DESTINATION USER UUID)
    CEF field name: PanOSDestinationUserUUID
    EMAIL field name: DestinationUserInfoUUID
    HTTPS field name: DestinationUserInfoUUID
    LEEF field name: DestinationUserInfoUUID
    from_zone
    (FROM ZONE)
    The networking zone from which the traffic originated.
    CEF field name: cs4
    EMAIL field name: FromZone
    HTTPS field name: FromZone
    LEEF field name: FromZone
    inbound_if.​value
    (INBOUND INTERFACE)
    Interface from which the network traffic was sourced.
    CEF field name: deviceInboundInterface
    EMAIL field name: InboundInterface
    HTTPS field name: InboundInterface
    LEEF field name: InboundInterface
    is_client_to_server
    (IS CLIENT TO SERVER)
    Indicates if direction of traffic is from client to server.
    CEF field name: Custom
    EMAIL field name: IsClienttoServer
    HTTPS field name: IsClienttoServer
    LEEF field name: IsClienttoServer
    is_ipv6
    (IS IPV6)
    Indicates whether IPV6 was used for the session.
    CEF field name: PanOSIsIPV6
    EMAIL field name: IsIPV6
    HTTPS field name: IsIPV6
    LEEF field name: IsIPV6
    is_saas_app
    (IS SAAS APPLICATION)
    Internal use field. Indicates whether the application associated with this network traffic is a SAAS application.
    CEF field name: PanOSIsSaaSApplication
    EMAIL field name: IsSaaSApplication
    HTTPS field name: IsSaaSApplication
    LEEF field name: IsSaaSApplication
    log_source
    (LOG SOURCE)
    Identifies the origin of the data - the system that produced the data.
    CEF field name: PanOSLogSource
    EMAIL field name: LogSource
    HTTPS field name: LogSource
    LEEF field name: LogSource
    log_source_group_id
    (LOG SOURCE GROUP ID)
    ID that uniquely identifies the logSourceGroupId of the log. That is, the log_source_id of the group.
    CEF field name: LogSourceGroupID
    EMAIL field name: LogSourceGroupID
    HTTPS field name: LogSourceGroupID
    LEEF field name: LogSourceGroupID
    log_source_id
    (DEVICE SN)
    ID that uniquely identifies the source of the log - serial number of the firewall that generated the log.
    CEF field name: deviceExternalID
    EMAIL field name: DeviceSN
    HTTPS field name: DeviceSN
    LEEF field name: DeviceSN
    log_source_name
    (DEVICE NAME)
    Name of the source of the log - hostname of the firewall that logged the network traffic.
    CEF field name: dvchost
    EMAIL field name: DeviceName
    HTTPS field name: DeviceName
    LEEF field name: DeviceName
    log_source_tz_offset
    (LOG SOURCE TIMEZONE OFFSET)
    Time Zone offset from GMT of the source of the log.
    CEF field name: PanOSLogSourceTimeZoneOffset
    EMAIL field name: LogSourceTimeZoneOffset
    HTTPS field name: LogSourceTimeZoneOffset
    LEEF field name: LogSourceTimeZoneOffset
    log_time
    (TIME RECEIVED)
    Time the log was received in Cortex Data Lake. This is populated by the platform.
    CEF field name: rt
    EMAIL field name: TimeReceived
    HTTPS field name: TimeReceived
    LEEF field name: TimeReceived
    log_type.​value
    (LOG TYPE)
    Identifies the log type.
    CEF field name: DeviceEventClassID
    EMAIL field name: LogType
    HTTPS field name: LogType
    LEEF field name: cat
    outbound_if.​value
    (EGRESS INTERFACE)
    Interface to which the network traffic was destined.
    CEF field name: deviceOutboundInterface
    EMAIL field name: EgressInterface
    HTTPS field name: EgressInterface
    LEEF field name: EgressInterface
    packets_received
    (DSTPACKETS)
    Number of server-to-client packets for the session.
    CEF field name: Custom
    EMAIL field name: PacketsReceived
    HTTPS field name: PacketsReceived
    LEEF field name: dstPackets
    packets_sent
    (SRCPACKETS)
    Number of client-to-server packets for the session.
    CEF field name: Custom
    EMAIL field name: PacketsSent
    HTTPS field name: PacketsSent
    LEEF field name: srcPackets
    path.​value
    (PATH VALUE)
    Circuit Information.
    CEF field name: PanOSPathValue
    EMAIL field name: PathValue
    HTTPS field name: PathValue
    LEEF field name: PathValue
    path_label
    (PATH LABEL)
    WAN path label for a given outbound wan path.
    CEF field name: PanOSPathLabel
    EMAIL field name: PathLabel
    HTTPS field name: PathLabel
    LEEF field name: PathLabel
    platform_type
    (PLATFORM TYPE)
    Identifies the platform that generated the log.
    CEF field name: PlatformType
    EMAIL field name: PlatformType
    HTTPS field name: PlatformType
    LEEF field name: PlatformType
    prisma_sdwan_element_id
    (SDWAN ELEMENT ID)
    Prisma SDWAN Element Identifier.
    CEF field name: PanOSSDWANElementId
    EMAIL field name: SDWANElementId
    HTTPS field name: SDWANElementId
    LEEF field name: SDWANElementId
    prisma_sdwan_element_name
    (SDWAN ELEMENT NAME)
    Prisma SDWAN Element Name.
    CEF field name: PanOSSDWANElementName
    EMAIL field name: SDWANElementName
    HTTPS field name: SDWANElementName
    LEEF field name: SDWANElementName
    prisma_sdwan_site_id
    (SDWAN SITE ID)
    Prisma SDWAN Site Identifier.
    CEF field name: PanOSSDWANSiteId
    EMAIL field name: SDWANSiteId
    HTTPS field name: SDWANSiteId
    LEEF field name: SDWANSiteId
    prisma_sdwan_site_name
    (SDWAN SITE NAME)
    Prisma SDWAN Site Name.
    CEF field name: PanOsSDWANSiteName
    EMAIL field name: SDWANSiteName
    HTTPS field name: SDWANSiteName
    LEEF field name: SDWANSiteName
    prisma_sdwan_tenant_id
    (SDWAN TENANT ID)
    Prisma SDWAN Tenant Identifier.
    CEF field name: PanOSSDWANTenantId
    EMAIL field name: SDWANTenantId
    HTTPS field name: SDWANTenantId
    LEEF field name: SDWANTenantId
    protocol.​value
    (IP PROTOCOL)
    IP protocol associated with the session.
    CEF field name: proto
    EMAIL field name: IPProtocol
    HTTPS field name: IPProtocol
    LEEF field name: proto
    risk_of_app
    (APPLICATION RISK)
    Indicates how risky the application is from a network security perspective.
    CEF field name: PanOSApplicationRisk
    EMAIL field name: ApplicationRisk
    HTTPS field name: ApplicationRisk
    LEEF field name: ApplicationRisk
    rule_matched
    (SECURITY RULE)
    Name of the security policy rule that the network traffic matched.
    CEF field name: cs1
    EMAIL field name: SecurityRule
    HTTPS field name: SecurityRule
    LEEF field name: SecurityRule
    rule_matched_uuid
    (RULE UUID)
    Unique identifier for the security policy rule that the network traffic matched.
    CEF field name: PanOSRuleUUID
    EMAIL field name: RuleUUID
    HTTPS field name: RuleUUID
    LEEF field name: RuleUUID
    sanctioned_state_of_app
    (SANCTIONED STATE OF APP)
    Indicates whether the application has been flagged as sanctioned by the firewall administrator.
    CEF field name: PanOSSanctionedStateOfApp
    EMAIL field name: SanctionedStateOfApp
    HTTPS field name: SanctionedStateOfApp
    LEEF field name: SanctionedStateOfApp
    session_end_reason.​value
    (SESSION END REASON)
    The reason a session terminated.
    CEF field name: reason
    EMAIL field name: SessionEndReason
    HTTPS field name: SessionEndReason
    LEEF field name: SessionEndReason
    session_id
    (SESSION ID)
    Identifies the flow session id.
    CEF field name: cn1
    EMAIL field name: SessionID
    HTTPS field name: SessionID
    LEEF field name: SessionID
    session_start_time
    (STARTTIME)
    Time when the session was established in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
    CEF field name: Custom
    EMAIL field name: SessionStartTime
    HTTPS field name: SessionStartTime
    LEEF field name: SessionStartTime
    source_device_category
    (SOURCE DEVICE CATEGORY)
    Category of the device from which the session originated.
    CEF field name: PanOSSourceDeviceCategory
    EMAIL field name: SourceDeviceCategory
    HTTPS field name: SourceDeviceCategory
    LEEF field name: SourceDeviceCategory
    source_device_class
    (SOURCE DEVICE CLASS)
    Source device class.
    CEF field name: PanOSSourceDeviceClass
    EMAIL field name: SourceDeviceClass
    HTTPS field name: SourceDeviceClass
    LEEF field name: SourceDeviceClass
    source_device_host
    (SOURCE DEVICE HOST)
    Hostname of the device from which the session originated.
    CEF field name: PanOSSourceDeviceHost
    EMAIL field name: SourceDeviceHost
    HTTPS field name: SourceDeviceHost
    LEEF field name: SourceDeviceHost
    source_device_mac
    (SOURCE DEVICE MAC)
    MAC Address of the device from which the session originated.
    CEF field name: PanOSSourceDeviceMac
    EMAIL field name: SourceDeviceMac
    HTTPS field name: SourceDeviceMac
    LEEF field name: SourceDeviceMac
    source_device_model
    (SOURCE DEVICE MODEL)
    Model of the device from which the session originated.
    CEF field name: PanOSSourceDeviceModel
    EMAIL field name: SourceDeviceModel
    HTTPS field name: SourceDeviceModel
    LEEF field name: SourceDeviceModel
    source_device_os
    (SOURCE DEVICE OS)
    Source device OS type.
    CEF field name: PanOSSourceDeviceOS
    EMAIL field name: SourceDeviceOS
    HTTPS field name: SourceDeviceOS
    LEEF field name: SourceDeviceOS
    source_device_osfamily
    (SOURCE DEVICE OS FAMILY)
    OS family of the device from which the session originated.
    CEF field name: PanOSSourceDeviceOSFamily
    EMAIL field name: SourceDeviceOSFamily
    HTTPS field name: SourceDeviceOSFamily
    LEEF field name: SourceDeviceOSFamily
    source_device_osversion
    (SOURCE DEVICE OS VERSION)
    OS version of the device from which the session originated.
    CEF field name: PanOSSourceDeviceOSVersion
    EMAIL field name: SourceDeviceOSVersion
    HTTPS field name: SourceDeviceOSVersion
    LEEF field name: SourceDeviceOSVersion
    source_device_profile
    (SOURCE DEVICE PROFILE)
    Profile of the device from which the session originated.
    CEF field name: PanOSSourceDeviceProfile
    EMAIL field name: SourceDeviceProfile
    HTTPS field name: SourceDeviceProfile
    LEEF field name: SourceDeviceProfile
    source_device_vendor
    (SOURCE DEVICE VENDOR)
    Vendor of the device from which the session originated.
    CEF field name: PanOSSourceDeviceVendor
    EMAIL field name: SourceDeviceVendor
    HTTPS field name: SourceDeviceVendor
    LEEF field name: SourceDeviceVendor
    source_ip.​value
    (SOURCE IP)
    Original source IP address.
    CEF field name: src
    EMAIL field name: SourceIP
    HTTPS field name: SourceIP
    LEEF field name: src
    source_port
    (SOURCE PORT)
    Source port utilized by the session.
    CEF field name: spt
    EMAIL field name: SourcePort
    HTTPS field name: SourcePort
    LEEF field name: srcPort
    source_user
    (SOURCE USER)
    User Name.
    CEF field name: suser
    EMAIL field name: SourceUser
    HTTPS field name: SourceUser
    LEEF field name: UsrName
    source_user_info.​domain
    (SOURCE USER DOMAIN)
    CEF field name: PanOSSourceUserDomain
    EMAIL field name: SourceUserInfoDomain
    HTTPS field name: SourceUserInfoDomain
    LEEF field name: SourceUserInfoDomain
    source_user_info.​name
    (SOURCE USER NAME)
    CEF field name: PanOSSourceUserName
    EMAIL field name: SourceUserInfoName
    HTTPS field name: SourceUserInfoName
    LEEF field name: SourceUserInfoName
    source_user_info.​uuid
    (SOURCE USER UUID)
    CEF field name: PanOSSourceUserUUID
    EMAIL field name: SourceUserInfoUUID
    HTTPS field name: SourceUserInfoUUID
    LEEF field name: SourceUserInfoUUID
    sub_type.​value
    (SUB TYPE)
    Identifies the log subtype.
    CEF field name: Name
    EMAIL field name: SubType
    HTTPS field name: SubType
    LEEF field name: SubType
    technology_of_app
    (APPLICATION TECHNOLOGY)
    The networking technology used by the identified application.
    CEF field name: PanOSApplicationTechnology
    EMAIL field name: ApplicationTechnology
    HTTPS field name: ApplicationTechnology
    LEEF field name: ApplicationTechnology
    time_generated
    (TIME GENERATED)
    Time the log was generated on the data plane in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
    CEF field name: start
    EMAIL field name: TimeGenerated
    HTTPS field name: TimeGenerated
    LEEF field name: devTime
    time_generated_high_res
    (TIME GENERATED HIGH RESOLUTION)
    Time the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
    CEF field name: PanOSTimeGeneratedHighResolution
    EMAIL field name: TimeGeneratedHighResolution
    HTTPS field name: TimeGeneratedHighResolution
    LEEF field name: TimeGeneratedHighResolution
    to_zone
    (DESTINATION ZONE)
    The Networking zone to which the traffic was sent.
    CEF field name: cs5
    EMAIL field name: ToZone
    HTTPS field name: ToZone
    LEEF field name: ToZone
    total_time_elapsed
    (ELAPSEDTIME)
    Total time taken for the network session to complete.
    CEF field name: Predefined
    EMAIL field name: SessionDuration
    HTTPS field name: SessionDuration
    LEEF field name: SessionDuration
    traffic_class
    (TRAFFIC CLASS)
    Traffic class.
    CEF field name: PanOSTrafficClass
    EMAIL field name: TrafficClass
    HTTPS field name: TrafficClass
    LEEF field name: TrafficClass
    tsg_id
    (TSG ID)
    The ID that uniquely identifiers a Tenant Sevice Group (TSG) that this log record should be associated with.
    CEF field name: PanOSTSGID
    EMAIL field name: TSGID
    HTTPS field name: TSGID
    LEEF field name: TSGID
    url_category.​value
    (URL CATEGORY)
    URL category associated with the session.
    CEF field name: cs2
    EMAIL field name: URLCategory
    HTTPS field name: URLCategory
    LEEF field name: URLCategory
    vendor_name
    (VENDOR NAME)
    Identifies the vendor that produced the data.
    CEF field name: Device Vendor
    EMAIL field name: VendorName
    HTTPS field name: VendorName
    LEEF field name: Vendor

    © 2026 Palo Alto Networks, Inc. All rights reserved.