Skip to content

PaloAlto

Constructor : PaloAlto

Device : PAN-OS 6.1

Log format : Traffic Logs

Standard Structure of a PaloAlto traffic log :

Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Bytes, Bytes Sent, Bytes Received, Packets, Start Time, Elapsed Time, Category, FUTURE_USE, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Packets Sent, Packets Received, Session End Reason

+-------------------+--------------------------------------------------+ | Constructor field | LMC field | +===================+==================================================+ | > Receive Time | > not used | +-------------------+--------------------------------------------------+ | > Serial Number | > not used | +-------------------+--------------------------------------------------+ | > Type | > [type] | +-------------------+--------------------------------------------------+ | > Subtype | > [PaloAlto][subtype] | +-------------------+--------------------------------------------------+ | > FUTURE_USE | > not used | +-------------------+--------------------------------------------------+ | > Generated Time | > [obs][ts] | +-------------------+--------------------------------------------------+ | > Source IP | > [init][host][ip] | +-------------------+--------------------------------------------------+ | > Destination IP | > [target][host][ip] | +-------------------+--------------------------------------------------+ | > NAT Source IP | > [init][host][nat][port] | +-------------------+--------------------------------------------------+ | > NAT Destination | > [target][host][nat][port] | | > IP | | +-------------------+--------------------------------------------------+ | > Rule Name | > [rule] | +-------------------+--------------------------------------------------+ | > Source User | > [init][usr][name] | +-------------------+--------------------------------------------------+ | > Destination | > [target][usr][name] | | > User | | +-------------------+--------------------------------------------------+ | > Application | > [app][name] | +-------------------+--------------------------------------------------+ | > Virtual System | > [PaloAlto][virtual_system] | +-------------------+--------------------------------------------------+ | > Source Zone | > [PaloAlto][source_zone] | +-------------------+--------------------------------------------------+ | > Destination | > [PaloAlto][destination_zone] | | > Zone | | +-------------------+--------------------------------------------------+ | > Ingress | > [PaloAlto][ingress_interface] | | > Interface | | +-------------------+--------------------------------------------------+ | > Egress | > [PaloAlto][egress_interface] | | > Interface | | +-------------------+--------------------------------------------------+ | > Log Forwarding | > not used | | > Profile | | +-------------------+--------------------------------------------------+ | > FUTURE_USE | > not used | +-------------------+--------------------------------------------------+ | > Session ID | > [session][id] | +-------------------+--------------------------------------------------+ | > Repeat Count | > [PaloAlto][repeat_count] | +-------------------+--------------------------------------------------+ | > Source Port | > [init][host][port] | +-------------------+--------------------------------------------------+ | > Destination | > [target][host][port] | | > Port | | +-------------------+--------------------------------------------------+ | > NAT Source Port | > [init][host][nat][port] | +-------------------+--------------------------------------------------+ | > NAT Destination | > [target][host][nat][port] | | > Port | | +-------------------+--------------------------------------------------+ | > Flags | > not used | +-------------------+--------------------------------------------------+ | > Protocol | > [app][proto][name] | +-------------------+--------------------------------------------------+ | > Action | > [action] | +-------------------+--------------------------------------------------+ | > Bytes | > not used | +-------------------+--------------------------------------------------+ | > Bytes Sent | > [session][out][packet] | +-------------------+--------------------------------------------------+ | > Bytes Received | > [session][in][byte] | +-------------------+--------------------------------------------------+ | > Packets | > not used | +-------------------+--------------------------------------------------+ | > Start Time | > not used | +-------------------+--------------------------------------------------+ | > Elapsed Time | > [session][duration] | +-------------------+--------------------------------------------------+ | > Category | > [PaloAlto][category] | +-------------------+--------------------------------------------------+ | > FUTURE_USE | > not used | +-------------------+--------------------------------------------------+ | > Sequence Number | > not used | +-------------------+--------------------------------------------------+ | > Action Flags | > not used | +-------------------+--------------------------------------------------+ | > Source Location | > [init][host][loc][cty_short] | +-------------------+--------------------------------------------------+ | > Destination | > [target][host][loc][cty_short] | | > Location | | +-------------------+--------------------------------------------------+ | > FUTURE_USE | > not used | +-------------------+--------------------------------------------------+ | > Packets Sent | > [session][out][packet] | +-------------------+--------------------------------------------------+ | > Packets | > [session][in][packet] | | > Received | | +-------------------+--------------------------------------------------+ | > Session End | > [alarm][name] | | > Reason | | +-------------------+--------------------------------------------------+

Log format : Threat Logs

Standard Structure of a PaloAlto Threat log :

Receive Time, Serial Number, Type, Subtype, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination IP, Rule Name, Source User, Destination User, Application, Virtual System, Source Zone, Destination Zone, Ingress Interface, Egress Interface, Log Forwarding Profile, FUTURE_USE, Session ID, Repeat Count, Source Port, Destination Port, NAT Source Port, NAT Destination Port, Flags, Protocol, Action, Miscellaneous, Threat ID, Category, Severity, Direction, Sequence Number, Action Flags, Source Location, Destination Location, FUTURE_USE, Content Type, PCAP_id, Filedigest, Cloud

+-------------------+--------------------------------------------------+ | Constructor field | LMC field | +===================+==================================================+ | > Receive Time | > not used | +-------------------+--------------------------------------------------+ | > Serial Number | > not used | +-------------------+--------------------------------------------------+ | > Type | > [type] | +-------------------+--------------------------------------------------+ | > Subtype | > [PaloAlto][subtype] | +-------------------+--------------------------------------------------+ | > Generated Time | > [obs][ts] | +-------------------+--------------------------------------------------+ | > Source IP | > [init][host][ip] | +-------------------+--------------------------------------------------+ | > Destination IP | > [target][host][ip] | +-------------------+--------------------------------------------------+ | > NAT Source IP | > [init][host][nat][port] | +-------------------+--------------------------------------------------+ | > NAT Destination | > [target][host][nat][port] | | > IP | | +-------------------+--------------------------------------------------+ | > Rule Name | > [rule] | +-------------------+--------------------------------------------------+ | > Source User | > [init][usr][name] | +-------------------+--------------------------------------------------+ | > Destination | > [target][usr][name] | | > User | | +-------------------+--------------------------------------------------+ | > Application | > [app][name] | +-------------------+--------------------------------------------------+ | > Virtual System | > [PaloAlto][virtual_system] | +-------------------+--------------------------------------------------+ | > Source Zone | > [PaloAlto][source_zone] | +-------------------+--------------------------------------------------+ | > Destination | > [PaloAlto][destination_zone] | | > Zone | | +-------------------+--------------------------------------------------+ | > Ingress | > [PaloAlto][ingress_interface] | | > Interface | | +-------------------+--------------------------------------------------+ | > Egress | > [PaloAlto][egress_interface] | | > Interface | | +-------------------+--------------------------------------------------+ | > Log Forwarding | > not used | | > Profile | | +-------------------+--------------------------------------------------+ | > FUTURE_USE | > not used | +-------------------+--------------------------------------------------+ | > Session ID | > [session][id] | +-------------------+--------------------------------------------------+ | > Repeat Count | > [PaloAlto][repeat_count] | +-------------------+--------------------------------------------------+ | > Source Port | > [init][host][port] | +-------------------+--------------------------------------------------+ | > Destination | > [target][host][port] | | > Port | | +-------------------+--------------------------------------------------+ | > NAT Source Port | > [init][host][nat][port] | +-------------------+--------------------------------------------------+ | > NAT Destination | > [target][host][nat][port] | | > Port | | +-------------------+--------------------------------------------------+ | > Flags | > not used | +-------------------+--------------------------------------------------+ | > Protocol | > [app][proto][name] | +-------------------+--------------------------------------------------+ | > Action | > [action] | +-------------------+--------------------------------------------------+ | > Miscellaneous | > Subtype is URL => [init][uri] or | | | > [target][uri] Subtype is | | | > File,Virus,WildFire => [PaloAlto][file] | +-------------------+--------------------------------------------------+ | > Threat ID | > [alarm][name] | +-------------------+--------------------------------------------------+ | > Category | > [PaloAlto][category] | +-------------------+--------------------------------------------------+ | > Severity | > [alarm][sev] | +-------------------+--------------------------------------------------+ | > Direction | > not used | +-------------------+--------------------------------------------------+ | > Sequence Number | > not used | +-------------------+--------------------------------------------------+ | > Action Flags | > not used | +-------------------+--------------------------------------------------+ | > Source Location | > [init][host][loc][cty_short] | +-------------------+--------------------------------------------------+ | > Destination | > [target][host][loc][cty_short] | | > Location | | +-------------------+--------------------------------------------------+ | > Content Type | > not used | +-------------------+--------------------------------------------------+ | > PCAP ID | > not used | +-------------------+--------------------------------------------------+ | > File Digest | > not used | +-------------------+--------------------------------------------------+ | > Cloud | > not used | +-------------------+--------------------------------------------------+

Log format : System Logs

Standard Structure of a PaloAlto System log :

Receive Time, Serial Number, Type, Subtype, FUTURE_USE, Generated Time, Virtual System, Event ID, Object, FUTURE_USE, FUTURE_USE, Module, Severity, Description, Sequence Number, Action Flags

+-------------------+--------------------------------------------------+ | Constructor field | LMC field | +===================+==================================================+ | > Receive Time | > not used | +-------------------+--------------------------------------------------+ | > Serial Number | > not used | +-------------------+--------------------------------------------------+ | > Type | > [type] | +-------------------+--------------------------------------------------+ | > Subtype | > [PaloAlto][subtype] | +-------------------+--------------------------------------------------+ | > FUTURE_USE | > not used | +-------------------+--------------------------------------------------+ | > Virtual System | > [PaloAlto][virtual_system] | +-------------------+--------------------------------------------------+ | > Event ID | > [Alarm][name] | +-------------------+--------------------------------------------------+ | > Object | > [PaloAlto][object] | +-------------------+--------------------------------------------------+ | > Module | > [PaloAlto][module] | +-------------------+--------------------------------------------------+ | > Severity | > [alarm][sev] | +-------------------+--------------------------------------------------+ | > Description | > [target][host][ip] if present | | | > [init][host][ip] if present | | | > [init][host][port] if present | | | > [init][uri][url] if present | | | > [target][host][ip] if present | | | > [target][host][port] if present | +-------------------+--------------------------------------------------+ | > Sequence Number | > not used | +-------------------+--------------------------------------------------+ | > Action Flags | > not used | +-------------------+--------------------------------------------------+

Unit Test List

unit_ntpd.json unit_traffic_drop.json unit_vpn.json unit_general.json unit_threat.json unit_traffic_end.json