Skip to main content
Skip table of contents

V 2.0 Traffic Messages 1

Vendor Documentation

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions.html

Classification

Rule Name

Rule Type

Common Event

Classification

V 2.0 Traffic Messages

Base Rule

General Network Traffic

Network Traffic

V 2.0 Network Session Created

Sub RuleNetwork Session Created

Network Traffic

V 2.0 Network Connection DeniedSub RuleTraffic Denied by Network FirewallNetwork Deny
V 2.0 Network Connection DroppedSub RuleTraffic Denied by Network FirewallNetwork Deny
V 2.0 Network Session ClosedSub RuleDisconnect SessionNetwork Traffic

Mapping with LogRhythm Schema  

Device Key in Log MessageLogRhythm SchemaData TypeSchema Description
Header : Severity<severity>Text/String N/A
Type (type)<vmid>Text/StringSpecifies the type of log; the value is TRAFFIC
Threat/Content Type (subtype)<vendorinfo>
<tag1>		Text/StringSubtype of traffic log; values are start, end, drop, and deny
Start—session started
End—session ended
Drop—The session dropped before the application is identified and there is no rule that allows the session.
Deny—session dropped after the application is identified and there is a rule to block or no rule that allows the session.
Source Address (src)<sip>IP AddressOriginal session source IP address
Destination Address (dst)<dip>IP AddressOriginal session destination IP address
NAT Source IP (natsrc)<snatip>IP AddressIf Source NAT is performed, the post-NAT Source IP address
NAT Destination IP (natdst)<dnatip>IP AddressIf Destination NAT is performed, the post-NAT Destination IP address
Rule Name (rule)<policy>Text/StringName of the rule that the session matched
Source User (srcuser)<domainorigin>
<login>		Text/StringThe username of the user who initiated the session
Destination User (dstuser)<domainimpacted>
<account>		Text/StringThe username of the user to which the session was destined
Application (app)<object>Text/StringApplication associated with the session
Inbound Interface (inbound_if)<sinterface>Text/StringInterface that the session was sourced from
Outbound Interface (outbound_if)<dinterface>Text/StringThe interface that the session was destined to
Session ID (sessionid)<session>NumberAn internal numerical identifier is applied to each session
Source Port (sport)<sport>NumberSource port utilized by the session
Destination Port (dport)<dport>NumberDestination port utilized by the session
NAT Source Port (natsport)<snatport>NumberPost-NAT source port
NAT Destination Port (natdport)<dnatport>NumberPost-NAT destination port
IP Protocol (proto)<protname>Text/StringIP protocol associated with the session
Action (action)<action>Text/StringAction taken for the session; possible values are:
allow—the session was allowed by policy
deny—the session was denied by policy
drop—the session was dropped silently
drop ICMP—the session was silently dropped with an ICMP unreachable message to the host or application
reset both—session was terminated and a TCP reset is sent to both sides of the connection
reset client—the session was terminated and a TCP reset is sent to the client
reset server—session was terminated and a TCP reset is sent to the server
Bytes Sent (bytes_sent)<bytesin>NumberNumber of bytes in the client-to-server direction of the session
Bytes Received (bytes_received)<bytesout>NumberNumber of bytes in the server-to-client direction of the session
Elapsed Time (elapsed)<seconds>NumberThe elapsed time of the session
Category (category)<subject>Text/StringURL category associated with the session (if applicable)
Packets Sent (pkts_sent)<packetsin>NumberNumber of client-to-server packets for the session
Packets Received (pkts_received)<packetsout>NumberNumber of server-to-client packets for the session
Session End Reason (session_end_reason)<reason>Text/StringThe reason a session was terminated. If the termination had multiple causes, this field displays only the highest priority reason. The possible session end reason values are as follows, in order of priority (where the first is highest):
  • threat—The firewall detected a threat associated with a reset, drop, or block (IP address) action.
  • policy-deny—The session matched a security rule with a deny or drop action.
  • decrypt-cert-validation—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses client authentication or when the session uses a server certificate with any of the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. This session end reason also displays when the server certificate produces a fatal error alert of type bad_certificate, unsupported_certificate, certificate_revoked, access_denied, or no_certificate_RESERVED (SSLv3 only).
  • decrypt-unsupport-param—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when the session uses an unsupported protocol version, cipher, or SSH algorithm. This session end reason is displayed when the session produces a fatal error alert of type unsupported_extension, unexpected_message, or handshake_failure.
  • decrypt-error—The session terminated because you configured the firewall to block SSL forward proxy decryption or SSL inbound inspection when firewall resources or the hardware security module (HSM) were unavailable. This session end reason is also displayed when you configured the firewall to block SSL traffic that has SSL errors or that produced any fatal error alert other than those listed for the decrypt-cert-validation and decrypt-unsupported-param end reasons.
  • tcp-rst-from-client—The client sent a TCP reset to the server.
  • tcp-rst-from-server—The server sent a TCP reset to the client.
  • resources-unavailable—The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue.
  • tcp-fin—Both hosts in the connection sent a TCP FIN message to close the session.
  • tcp-reuse—A session is reused and the firewall closes the previous session.
  • decoder—The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection.
  • aged-out—The session aged out.
  • unknown—This value applies in the following situations:
  • Session terminations that the preceding reasons do not cover (for example, a clear session all command).
  • For logs generated in a PAN-OS release that does not support the session end reason field (releases older than PAN-OS 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall.
  • In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown.
  • n/a—This value applies when the traffic log type is not end.
Device Name (device_name)<objectname>Text/StringThe hostname of the firewall on which the session was logged.
Application Category (category_of_app)**<objecttype>Text/StringThe application category is specified in the application configuration properties. Values are:
business-systems
collaboration
general-internet
media
networking
saas
Application Characteristic (characteristic_of_app)**<result>Text/StringComma-separated list of applicable characteristics of the application
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close