V 2.0 Decryption Event Messages

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/decryption-log-fields

V 2.0 Decryption Event Messages

Base Rule

Session Information

Information

V 2.0 Decryption Session Allowed

Sub Rule

Traffic Allowed by Network Firewall

Network Allow

V 2.0 Decryption Session Denied

Sub Rule

Traffic Denied by Network Firewall

Network Deny

V 2.0 Decryption Session Dropped

Sub Rule

Traffic Denied by Network Firewall

Network Deny

V 2.0 Decryption Session Reset

Sub Rule

Traffic Denied by Network Firewall

Network Deny

Type (type)

<vmid>

Text/String

Specifies the type of log; the value is DECRYPTION.

Threat/ContentType (subtype)

<vendorinfo>

Text/String/Number

Not used in the Decryption log.

Source Address (src)

<sip>

IP Address

Original session source IP address.

Destination Address (dst)

<dip>

IP Address

Original session destination IP address.

NAT Source IP (natsrc)

<snatip>

IP Address

If Source NAT is performed, the post-NAT Source IP address.

NAT Destination IP (natdst)

<dnatip>

IP Address

If Destination NAT is performed, the post-NAT Destination IP address.

Rule (rule)

<policy>

Text/String

A security policy rule that controls the session traffic.

Source User (srcuser)

<domainorigin>
<login>

Text/String

The username of the user who initiated the session.

Destination User (dstuser)

<domainimpacted>
<account>

Text/String

The username of the user to which the session was destined.

Inbound Interface (inbound_if)

<sinterface>

Text/String

An interface that the session was sourced from.

Outbound Interface (outbound_if)

<dinterface>

Text/String

An interface that the session was destined to.

Session ID (sessionid)

<session>

Number

An internal numerical identifier is applied to each session.

Repeat Count (repeatcnt)

<quantity>

Number

Number of sessions with the same Source IP, Destination IP, Application, and Content/Threat Type seen within 5 seconds.

Source Port (sport)

<sport>

Number

Source port utilized by the session.

Destination Port (dport)

<dport>

Number

Destination port utilized by the session.

NAT Source Port (natsport)

<snatport>

Number

Post-NAT source port.

NAT Destination Port (natdport)

<dnatport>

Number

Post-NAT destination port.

IP Protocol (proto)

<protname>

Text/String

IP protocol associated with the session.

Action (action)

<action>
<tag1>

Text/String

Action taken for the session; possible values are:

• allow—the session was allowed by policy

• deny—the session was denied by policy

• drop—the session was dropped silently

• drop ICMP—session was silently dropped with an ICMP unreachable message to the host or application

• reset both—session was terminated and a TCP reset was sent to both sides of the connection

• reset client—the session was terminated and a TCP reset was sent to the client

• reset server—session was terminated and a TCP reset was sent to the server

Device Name (device_name)

<objectname>

Text/String

The hostname of the firewall on which the session was logged.

Application Characteristic (characteristic_of_app)

<group>

Text/String

Comma-separated list of applicable characteristics of the application.