Skip to main content
Skip table of contents

Traffic Messages

Vendor Documentation

Classification

Rule NameRule TypeClassificationCommon Event
Traffic MessagesBase RuleNetwork TrafficGeneral Network Traffic
Network Session CreatedSub RuleNetwork TrafficNetwork Session Created
Network Session ClosedSub RuleNetwork AllowTraffic Allowed by Network Firewall
Network Connection DroppedSub RuleNetwork DenyTraffic Denied by Network Firewall
Network Connection DeniedSub RuleNetwork DenyTraffic Denied by Network Firewall

Mapping with LogRhythm Schema

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
 N/A N/AN/AdeviceVendor
 N/A N/AN/AdeviceProduct
 N/AN/A N/AVersion
N/A <vmid>Text/StringLogType
 N/A<command>
<tag1>
Text/StringSubType
 N/A<severity>NumberdeviceSeverity
ProfileToken N/AN/A N/A
dtzN/A N/A N/A
rtN/A N/ATime the log was received in Cortex Data Lake. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
deviceExternalId<serialnumber>Text/String/NumberID that uniquely identifies the source of the log. That is, the serial number of the firewall that generated the log.
PanOSApplicationContainerN/A N/AIdentifies the managing application or parent of the application associated with this network traffic.
PanOSApplicationRiskN/A N/AIndicates how risky the application is from a network security perspective.
PanOSApplicationSubcategoryN/A N/AIdentifies the application's subcategory. The subcategory is related to the application's category, which is identified in category_of_app.
PanOSApplicationTechnologyN/A N/AThe networking technology used by the identified application.
PanOSCaptivePortalN/A N/AIndicates if user information for the session was captured through Captive Portal.
PanOSCortexDataLakeTenantIDN/A N/AThe ID that uniquely identifies the Cortex Data Lake instance which received this log record.
PanOSDestinationDeviceClassN/A N/ADestination device class.
PanOSDestinationDeviceOSN/A N/ADestination device OS type.
dntdom<domainimpacted>Text/StringDomain to which the Destination User belongs.
dusername<account>Text/StringThe username to which the network traffic was destined.
duidN/A N/AUnique identifier assigned to the Destination User.
PanOSInboundInterfaceDetailsPortN/A N/AHardware port or socket from which the network traffic was sourced.
PanOSInboundInterfaceDetailsSlotN/A N/AInterface slot from which the network traffic was sourced.
PanOSInboundInterfaceDetailsTypeN/A N/AThe type of interface from which the network traffic was sourced.
PanOSInboundInterfaceDetailsUnitN/A N/AInternal use.
PanOSIsClienttoServerN/A N/AIndicates if direction of traffic is from client to server.
PanOSIsContainerN/A N/AIndicates if the session is a container page access (Container Page).
PanOSIsDecryptMirrorN/A N/AIndicates whether decrypted traffic was sent out in clear text through a mirror port.
PanOSIsDecryptedN/A N/AFlag that indicates that the session is decrypted.
PanOSIsDecryptedLogN/A N/AUnknown field. No information is available at this time.
PanOSIsDecryptedPayloadForwardN/A N/AUnknown field. No information is available at this time.
PanOSIsDuplicateLogN/A N/AIndicates whether this log data is available in multiple locations, such as from Cortex Data Lake as well as from an on-premise log collector.
PanOSIsEncryptedN/A N/AFlag that indicates that the session is encrypted.
PanOSIsIPV6N/A N/AIndicates whether IPV6 was used for the session.
PanOSIsInspectionBeforeSessionN/A N/AUnknown field. No information is available at this time.
PanOSIsMptcpOnN/A N/AIndicates whether the option is enabled on the next-generation firewall that allows a client to use multiple paths to connect to a destination host.
PanOSIsNonStandardDestinationPortN/A N/AIndicates if the destination port is non-standard.
PanOSIsPacketCaptureN/A N/AIndicates whether the session has a packet capture (PCAP).
PanOSIsPhishingN/A N/AIndicates whether enterprise credentials were submitted by an end user.
PanOSIsPrismaNetworkN/A N/AInternal-use field. If set to 1, the log was generated on a cloud-based firewall. If 0, the firewall was running on-premise.
PanOSIsPrismaUsersN/A N/AInternal use field. If set to 1, the log record was generated using a cloud-based GlobalProtect instance. If 0, GlobalProtect was hosted on-premise.
PanOSIsProxyN/A N/AIndicates whether the SSL session is decrypted (SSL Proxy).
PanOSIsReconExcludedN/A N/AIndicates whether source for the flow is on the firewall allow list and not subject to recon protection.
PanOSIsSaaSApplicationN/A N/AInternal use field. Indicates whether the application associated with this network traffic is a SAAS application.
PanOSIsServertoClientN/A N/AIndicates if direction of traffic is from server to client.
PanOSIsSourceXForwardedN/A N/AIndicates whether the X-Forwarded-For value from a proxy is in the source user field.
PanOSIsSystemReturnN/A N/AIndicates whether symmetric return was used to forward traffic for this session.
PanOSIsTransactionN/A N/AIndicates whether the log corresponds to a transaction within an HTTP proxy session (Proxy Transaction).
PanOSIsTunnelInspectedN/A N/AIndicates whether the payload for the outer tunnel was inspected.
PanOSIsURLDeniedN/A N/AIndicates whether the session was denied due to a URL filtering rule.
PanOSLogExportedN/A N/AIndicates if this log was exported from the firewall using the firewall's log export function.
PanOSLogForwardedN/A N/AInternal-use field that indicates if the log is being forwarded.
PanOSLogSourceN/A N/AIdentifies the origin of the data. That is, the system that produced the data.
PanOSLogSourceTimeZoneOffsetN/A N/ATime Zone offset from GMT of the source of the log.
PanOSNATN/A N/AIndicates if the firewall is performing network address translation (NAT) for the logged traffic.
PanOSNonStandardDestinationPort N/AN/AIdentifies the non-standard or unexpected port used by the application associated with this session.
PanOSOutboundInterfaceDetailsPortN/A N/AHardware port or socket to which the network traffic was sent.
PanOSOutboundInterfaceDetailsSlotN/A N/AInterface slot to which the network traffic was sent.
PanOSOutboundInterfaceDetailsTypeN/A N/AThe type of interface to which the network traffic was sent.
PanOSOutboundInterfaceDetailsUnitN/A N/AInternal use.
PanOSSDWANFECRatioN/A N/ASDWAN forward error correction (FEC) ratio.
PanOSSanctionedStateOfAppN/A N/AIndicates whether the application has been flagged as sanctioned by the firewall administrator.
PanOSSessionOwnerMidxN/A N/AUnknown field. No information is available at this time.
PanOSSessionTrackerN/A N/AUnknown field. No information is available at this time.
PanOSSourceDeviceClassN/A N/ASource device class.
PanOSSourceDeviceOSN/A N/ASource device OS type.
sntdom<domainorigin>Text/StringDomain to which the Source User belongs.
susername<domainorigin>\<login>Text/StringThe username that initiated the network traffic.
suidN/A N/AUnique identifier assigned to the Source User.
PanOSTunneledApplicationN/A N/AFor internal use only.
PanOSUsersN/A N/ASource/Destination user. If neither is available, source_ip is used.
PanOSVirtualSystemIDN/A N/AA unique identifier for a virtual system on a Palo Alto Networks firewall.
PanOSApplicationCategoryN/A N/AIdentifies the high-level family of the application.
PanOSConfigVersionN/A N/AVersion number of the firewall operating system that wrote this log record.
startN/A N/ATime when the log was generated on the firewall's data plane. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
src<sip>IP AddressOriginal source IP address.
dst<dip>IP AddressOriginal destination IP address.
sourceTranslatedAddress<snatip>IP AddressIf source NAT was performed, the post-NAT source IP address.
destinationTranslatedAddress<dnatip>IP AddressIf destination NAT was performed, the post-NAT destination IP address.
cs1<policy>Text/StringName of the security policy rule that the network traffic matched.
cs1LabelN/A N/A
susername0N/A N/AThe Source User. That is, the username that initiated the network traffic.
dusername0N/A N/AThe Destination User. That is, the username to which the network traffic was destined.
app<object>Text/StringApplication associated with the network traffic.
cs3N/A N/AString representation of the unique identifier for a virtual system on a Palo Alto Networks firewall.
cs3LabelN/A N/A N/A
cs4N/A N/AThe networking zone from which the traffic originated.
cs4LabelN/A N/A N/A
cs5N/A N/ANetworking zone to which the traffic was sent.
cs5LabelN/A N/A N/A
deviceInboundInterface<sinterface>Text/StringInterface from which the network traffic was sourced.
deviceOutboundInterface<dinterface>Text/StringInterface to which the network traffic was destined.
cs6N/A N/ALog forwarding profile name that was applied to the session. This name was defined by the firewall's administrator.
cs6LabelN/A N/A N/A
cn1<session>NumberIdentifies the firewall's internal identifier for a specific network session.
cn1LabelN/A N/A N/A
cntN/A N/ANumber of sessions with same Source IP, Destination IP, Application, and Content/Threat Type seen for the summary interval.
spt<sport>NumberSource port utilized by the session.
dpt<dport>NumberNetwork traffic's destination port. If this value is 0, then the app is using its standard port.
sourceTranslatedPort<snatport>NumberPost-NAT source port.
destinationTranslatedPort<dnatport>NumberPost-NAT destination port.
proto<protname>Text/StringIP protocol associated with the session.
act<action>Text/StringIdentifies the action that the firewall took for the network traffic.
PanOSBytesN/A N/ANumber of total bytes (transmit and receive).
out<bytesin>NumberNumber of bytes in the client-to-server network traffic.
in<bytesout>NumberNumber of bytes in the server-to-client network traffic.
cn2N/A N/ANumber of total packets (transmit and receive) seen for the session.
cn2LabelN/A N/A N/A
PanOSSessionStartTimeN/A N/ATime when the session was established. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
cn3<seconds>NumberTotal time taken for the network session to complete.
cn3LabelN/A N/A N/A
cs2N/A N/AURL category associated with the session.
cs2LabelN/A N/A N/A
externalIdN/A N/AThe log entry identifier, which is incremented sequentially. Each log type has a unique number space.
PanOSSourceLocationN/A N/ASource country or internal region for private addresses.
PanOSDestinationLocationN/A N/ADestination country or internal region for private addresses.
PanOSPacketsSent<packetsin>NumberNumber of client-to-server packets for the session.
PanOSPacketsReceived<packetsout>NumberNumber of server-to-client packets for the session.
reason<reason>Text/StringThe reason a session terminated.
PanOSDGHierarchyLevel1N/A N/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel2N/A N/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel3N/A N/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSDGHierarchyLevel4N/A N/AA sequence of identification numbers that indicate the device group’s location within a device group hierarchy.
PanOSVirtualSystemNameN/A N/AThe name of the virtual system associated with the network traffic.
dvchostN/A N/AName of the source of the log. That is, the hostname of the firewall that logged the network traffic.
cat<subject>Text/StringSpecifies whether the action taken to allow or block an application was defined in the application or in policy.
PanOSSourceUUIDN/A N/AIdentifies the source universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSDestinationUUIDN/A N/AIdentifies the destination universal unique identifier for a guest virtual machine in the VMware NSX environment.
PanOSIMSIN/A N/AID of the tunnel being inspected or the International Mobile Subscriber Identity (IMSI) ID of the mobile user.
PanOSIMEIN/A N/AA string used to group similar traffic together for logging and reporting. This value is globally defined on the firewall by the administrator.
PanOSParentSessionIDN/A N/AID of the session in which this network traffic was tunneled.
PanOSParentStarttimeN/A N/ATime that the parent session began. This string contains a timestamp value that is the number of microseconds since the Unix epoch.
PanOSTunnelN/A N/AType of tunnel.
PanOSEndpointAssociationIDN/A N/AThe ID assigned to the endpoint association used for the SCTP network traffic.
PanOSChunksTotalN/A N/AThe total number of SCTP data chunks in the network traffic.
PanOSChunksSentN/A N/AThe total number of SCTP data chunks in the client-to-server network traffic.
PanOSChunksReceivedN/A N/AThe total number of SCTP data chunks in the server-to-client network traffic.
PanOSRuleUUIDN/A N/AUnique identifier for the security policy rule that the network traffic matched.
PanOSHTTP2ConnectionN/A N/AParent session ID for an HTTP/2 connection. If the traffic is not using HTTP/2, this field is set to 0.
PanOSLinkChangeCountN/A N/ANumber of times the app flapped in that session.
PanOSSDWANPolicyNameN/A N/AName of the SD-WAN policy.
PanOSLinkSwitchesN/A N/ADetails of the links switches (up-to 4).
PanOSSDWANClusterN/A N/AName of the SD-WAN cluster.
PanOSSDWANDeviceTypeN/A N/AType of SD-WAN device. Either hub or branch.
PanOSSDWANClusterTypeN/A N/AType of SD-WAN cluster. Either mesh or hub-spoke.
PanOSSDWANSiteN/A N/AName of the SD-WAN site.
PanOSDynamicUserGroupNameN/A N/ADynamic user group of the user who initiated the network connection.
PanOSX-Forwarded-ForIPN/A N/AX-Forwarded-For IP.
PanOSSourceDeviceCategoryN/A N/ACategory of the device from which the session originated.
PanOSSourceDeviceProfileN/A N/AProfile of the device from which the session originated.
PanOSSourceDeviceModelN/A N/AModel of the device from which the session originated.
PanOSSourceDeviceVendorN/A N/AVendor of the device from which the session originated.
PanOSSourceDeviceOSFamilyN/A N/AOS family of the device from which the session originated.
PanOSSourceDeviceOSVersionN/A N/AOS version of the device from which the session originated.
PanOSSourceDeviceHost<sname>Text/StringHostname of the device from which the session originated.
PanOSSourceDeviceMac<smac>Text/String/NumberMAC Address of the device from which the session originated.
PanOSDestinationDeviceCategoryN/A N/ACategory of the device to which the session was directed.
PanOSDestinationDeviceProfileN/A N/AProfile of the device to which the session was directed.
PanOSDestinationDeviceModelN/A N/AModel of the device to which the session was directed.
PanOSDestinationDeviceVendorN/A N/AVendor of the device to which the session was directed.
PanOSDestinationDeviceOSFamilyN/A N/AOS family of the device to which the session was directed.
PanOSDestinationDeviceOSVersionN/A N/AOS version of the device to which the session was directed.
PanOSDestinationDeviceHost<dname>Text/StringHostname of the device to which the session was directed.
PanOSDestinationDeviceMac<dmac>Text/String/NumberMAC Address of the device to which the session was directed.
PanOSContainerIDN/A N/AUnknown field. No information is available at this time.
PanOSContainerNameSpaceN/A N/AContainer namespace.
PanOSContainerNameN/A N/AContainer name.
PanOSSourceEDLN/A N/AThe name of the external dynamic list that contains the source IP address of the traffic.
PanOSDestinationEDLN/A N/AThe name of the external dynamic list that contains the destination IP address of the traffic.
PanOSGPHostIDN/A N/AA unique ID that GlobalProtect assigns to identify the host.
PanOSEndpointSerialNumberN/A N/ASerial number of the host on which GlobalProtect is installed.
PanOSSourceDynamicAddressGroupN/A N/AThe dynamic address group that Device-ID identifies as the source of the traffic.
PanOSDestinationDynamicAddressGroup N/AN/AThe dynamic address group that Device-ID identifies as the destination for the traffic.
PanOSHASessionOwnerN/A N/AName of cluster member in which session failed over from.
PanOSTimeGeneratedHighResolutionN/A N/ATime the log was generated in data plane with millisec granularity in format YYYY-MM-DDTHH:MM:SS[.DDDDDD]Z.
PanOSNSSAINetworkSliceTypeN/A N/ANetwork Slice Type (SST part of SNSSAI).
PanOSNSSAINetworkSliceDifferentiatorN/A N/ANetwork Slice Differentiator (SD part of SNSSAI).
PanOSIsOffloadedN/A N/AIndicates whether the traffic flow is offloaded to hardware before the packets enter Linux kernel on VM/CN series.
PanOSLocationN/A N/APrisma Access Region/Location.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.