Log Types: PANFirewall

Overview

Palo Alto Networks supply next-generation firewall technology which delivers visibility and control over applications, users, and content at the organizational network border.

Collection

Palo Alto Firewalls are generally forwarded to the Snare Central server via syslog, and use the LEEF 1.0 event format.

Sample Events

<123>Aug 10 13:57:29 bilbo LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|allow
<123>Aug 10 13:53:41 bilbo LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|allow|cat=TRAFFIC|src=10.84.200.253|dst=10.84.68.11|srcPort=33907|dstPort=53|proto=udp|usrName=dmiad\svc.network.paloalto|SerialNumber=007901001419|Type=TRAFFIC|Subtype=end|NATSrcIP=0.0.0.0|NATDstIP=0.0.0.0|RuleName=NtwkMgmt Access to DNI AD|SourceUser=dmiad\svc.network.paloalto|DestinationUser=|Application=dns|VirtualSystem=vsys1|SourceZone=DC_Core_Uplink|DestinationZone=DC_Infra_Prod_Pres|IngressInterface=ae1.250|EgressInterface=ae1.68|LogForwardingProfile=default|SessionID=480551|RepeatCount=1|NATSourcePort=0|NATDestPort=0|Flags=0x19|Bytes=214|Packets=2|ElapsedTime=31|URLCategory={{restricted|government|commercial}}|BytesIn=126|BytesOut=88.|UnknownKey=abc
<14>May 4 13:38:01 bilbo LEEF:1.0|Palo Alto Networks|PAN-OS Syslog Integration|9.0.2|allow|cat=TRAFFIC|ReceiveTime=2022/05/04 13:38:00|SerialNumber=016345678901|Type=TRAFFIC|Subtype=start|devTime=$cef-formattedreceive_time|src=10.11.254.207|dst=10.11.228.158|srcPostNAT=0.0.0.0|dstPostNAT=0.0.0.0|RuleName=VPN-for-BCP01|usrName=|SUser=|DUser=|App=vnc-encrypted|VirtSyst=vsys1|SourceZone=BDN-BCP-VPN-Zone|DestinationZone=trust|IngressInterface=tunnel.30|EgressInterface=ethernet1/7|LogForwardingProfile=BDNDRLogForward|SessionID=963097|RepeatCount=1|srcPort=53222|dstPort=5900|srcPostNATPort=0|dstPostNATPort=0|Flags=0x4000|proto=tcp|totalBytes=223622222|dstBytes=209322222|srcBytes=14242222|totalPackets=525222|StartTime=2022/05/04 13:38:32|ElapsedTime=3922|URLCat=any|sequence=1031222222|ActFlags=0x0|SourceLocation=10.0.0.0-10.255.255.255|DestinationLocation=10.0.0.0-10.255.255.255|dstPkt=286222|srcPkt=238222|SessionEndReason=n/a|vSrcName=|DevName=BILBOFW02|ActSource=from-policy|TunnelID=0|TunnelType=N/A|MonitorTag=

Fields

Field

Description / LEEF Source field

Field

Description / LEEF Source field

DATE

Event date, in the format YYYY-MM-DD

TIME

Event time, in the format HH:MM:SS

SYSTEM

The source system

TABLE

PANFirewall

VERSION

 

ACTION

The action taken by the firewall when this packet was received

CATEGORY

cat

TYPE

Type

SUBTYPE

SubType

RULENAME

RuleName

PROTO

Protocol

USRNAME

usrName

SERIALNUMBER

SerialNumber

NATSRCIP

NATSrcIP

NATDSTIP

NATDstIP

SOURCEUSER

SourceUser

DESTINATIONUSER

DestinationUser

APPLICATION

Application

VIRTUALSYSTEM

VirtualSystem

SRCADDR

src - Source IP address

SRCPORT

srcPort - Source port

DSTADDR

dst - Destination IP address

DSTPORT

dstPort - Destination port

SOURCEZONE

SourceZone

DESTINATIONZONE

DestinationZone

INGRESSINTERFACE

IngressInterface

EGRESSINTERFACE

EgressInterface

LOGFORWARDINGPROFILE

LogForwardingProfile

SESSIONID

SessionID

REPEATCOUNT

RepeatCount

NATSOURCEPORT

NATSourcePort

NATDESTPORT

NATDestPort

FLAGS

Flags

BYTES

Bytes

PACKETS

Packets

ELAPSEDTIME

ElapsedTime

URLCATEGORY

URLCategory

BYTESIN

BytesIn

BYTESOUT

BytesOut

SEVERITY

sev

STRING

Any other key/value pairs that are not explicitly assigned above, delimited by four (4) spaces.

Notes

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGsCAK

Â