Log Types: PANFirewall
Overview
Palo Alto Networks supply next-generation firewall technology which delivers visibility and control over applications, users, and content at the organizational network border.
Collection
Palo Alto Firewalls are generally forwarded to the Snare Central server via syslog, and use the LEEF 1.0 event format.
Sample Events
<123>Aug 10 13:57:29 bilbo LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|allow
<123>Aug 10 13:53:41 bilbo LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|allow|cat=TRAFFIC|src=10.84.200.253|dst=10.84.68.11|srcPort=33907|dstPort=53|proto=udp|usrName=dmiad\svc.network.paloalto|SerialNumber=007901001419|Type=TRAFFIC|Subtype=end|NATSrcIP=0.0.0.0|NATDstIP=0.0.0.0|RuleName=NtwkMgmt Access to DNI AD|SourceUser=dmiad\svc.network.paloalto|DestinationUser=|Application=dns|VirtualSystem=vsys1|SourceZone=DC_Core_Uplink|DestinationZone=DC_Infra_Prod_Pres|IngressInterface=ae1.250|EgressInterface=ae1.68|LogForwardingProfile=default|SessionID=480551|RepeatCount=1|NATSourcePort=0|NATDestPort=0|Flags=0x19|Bytes=214|Packets=2|ElapsedTime=31|URLCategory={{restricted|government|commercial}}|BytesIn=126|BytesOut=88.|UnknownKey=abc
<14>May 4 13:38:01 bilbo LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|9.0.2|allow|cat=TRAFFIC|ReceiveTime=2022/05/04 13:38:00|SerialNumber=016345678901|Type=TRAFFIC|Subtype=start|devTime=$cef-formattedreceive_time|src=10.11.254.207|dst=10.11.228.158|srcPostNAT=0.0.0.0|dstPostNAT=0.0.0.0|RuleName=VPN-for-BCP01|usrName=|SUser=|DUser=|App=vnc-encrypted|VirtSyst=vsys1|SourceZone=BDN-BCP-VPN-Zone|DestinationZone=trust|IngressInterface=tunnel.30|EgressInterface=ethernet1/7|LogForwardingProfile=BDNDRLogForward|SessionID=963097|RepeatCount=1|srcPort=53222|dstPort=5900|srcPostNATPort=0|dstPostNATPort=0|Flags=0x4000|proto=tcp|totalBytes=223622222|dstBytes=209322222|srcBytes=14242222|totalPackets=525222|StartTime=2022/05/04 13:38:32|ElapsedTime=3922|URLCat=any|sequence=1031222222|ActFlags=0x0|SourceLocation=10.0.0.0-10.255.255.255|DestinationLocation=10.0.0.0-10.255.255.255|dstPkt=286222|srcPkt=238222|SessionEndReason=n/a|vSrcName=|DevName=BILBOFW02|ActSource=from-policy|TunnelID=0|TunnelType=N/A|MonitorTag=
Fields
Field | Description / LEEF Source field |
---|---|
DATE | Event date, in the format YYYY-MM-DD |
TIME | Event time, in the format HH:MM:SS |
SYSTEM | The source system |
TABLE | PANFirewall |
VERSION | Â |
ACTION | The action taken by the firewall when this packet was received |
CATEGORY | cat |
TYPE | Type |
SUBTYPE | SubType |
RULENAME | RuleName |
PROTO | Protocol |
USRNAME | usrName |
SERIALNUMBER | SerialNumber |
NATSRCIP | NATSrcIP |
NATDSTIP | NATDstIP |
SOURCEUSER | SourceUser |
DESTINATIONUSER | DestinationUser |
APPLICATION | Application |
VIRTUALSYSTEM | VirtualSystem |
SRCADDR | src - Source IP address |
SRCPORT | srcPort - Source port |
DSTADDR | dst - Destination IP address |
DSTPORT | dstPort - Destination port |
SOURCEZONE | SourceZone |
DESTINATIONZONE | DestinationZone |
INGRESSINTERFACE | IngressInterface |
EGRESSINTERFACE | EgressInterface |
LOGFORWARDINGPROFILE | LogForwardingProfile |
SESSIONID | SessionID |
REPEATCOUNT | RepeatCount |
NATSOURCEPORT | NATSourcePort |
NATDESTPORT | NATDestPort |
FLAGS | Flags |
BYTES | Bytes |
PACKETS | Packets |
ELAPSEDTIME | ElapsedTime |
URLCATEGORY | URLCategory |
BYTESIN | BytesIn |
BYTESOUT | BytesOut |
SEVERITY | sev |
STRING | Any other key/value pairs that are not explicitly assigned above, delimited by four (4) spaces. |
Notes
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGsCAK
Â