PAN-OS Traffic Flow Logs
Network connection and policy enforcement events
Network traffic flow logs from PAN-OS Next-Generation Firewall showing connection details, policy decisions, and session information
firewall
network-traffic
policy-enforcement
session-monitoring
threat-prevention
CSV Format
49 Fields
Critical Frequency
Generator
Overview
Records all network traffic sessions processed by the PAN-OS firewall, including connection details, policy decisions, data transfer statistics, and session lifecycle events. Essential for network monitoring, security analysis, and compliance reporting.
When Generated:
- New network connection establishment (start)
- Network connection termination (end)
- Traffic blocked by security policy (deny)
- Connection dropped due to resource constraints (drop)
- Policy rule evaluation and enforcement
- Application identification and control actions
Security Relevance:
CriticalCompliance:
PCI DSS
SOX
HIPAA
GDPR
NIST Cybersecurity Framework
ISO 27001
Frequency Notes:
Very high frequency during business hours due to active user traffic. Frequency varies based on network size, user activity, and policy configuration. Large enterprises may generate 10,000+ events per hour.
Resources
Documentation
Tools
-
PAN-OS CLI
Command-line interface for log analysis and system management
-
Panorama
Centralized management and logging platform for PAN-OS devices
-
AutoFocus
Threat intelligence and analysis platform with log correlation
Generation Configuration
Base Frequency: 180 events/hour
Time Patterns:
business_hours
night_hours
weekend
Business Hours Multiplier: 2.5x
Night Hours Multiplier: 0.8x
Weekend Multiplier: 0.4x
Field Definitions
Complete field reference for this event type with data types, descriptions, and example values.
| Field Name | Type | Required | Format | Description | Example | Possible Values |
|---|---|---|---|---|---|---|
|
domain
Source: Static value
|
Integer | Required | — | Virtual system domain identifier |
1
|
— |
|
receive_time
Source: current_timestamp() | format_timestamp('%Y/%m/%d %H:%M:%S')
|
DateTime | Required |
YYYY/MM/DD HH:MM:SS
|
Log entry reception timestamp |
2024/01/15 14:30:25
|
— |
|
serial_number
Source: PA-5250-{{ random_int(1000, 9999) }}
|
String | Required | — | Firewall device serial number |
PA-5250-1234
|
— |
|
log_type
Source: Static value
|
String | Required | — | Log category type |
TRAFFIC
|
— |
|
log_subtype
Source: log_sub_types | random
|
String | Required | — | Specific traffic event type |
start
|
start
— Session initiation
end
— Session termination
deny
— Traffic denied by policy
drop
— Traffic dropped
|
|
config_version
Source: random_int(2000, 3000)
|
Integer | Required | — | Configuration version number |
2048
|
— |
|
time_generated
Source: current_timestamp() | format_timestamp('%Y/%m/%d %H:%M:%S')
|
DateTime | Required |
YYYY/MM/DD HH:MM:SS
|
Event generation timestamp |
2024/01/15 14:30:25
|
— |
|
source_ip
Source: random_private_ip()
|
IP Address | Required | — | Source IP address of the connection |
192.168.1.100
|
— |
|
destination_ip
Source: random_public_ip()
|
IP Address | Required | — | Destination IP address of the connection |
8.8.8.8
|
— |
|
nat_source_ip
Source: registry.get_random_device().ip_address with fallback
|
IP Address | Required | — | NAT translated source IP address |
10.10.1.50
|
— |
|
nat_destination_ip
Source: random_public_ip()
|
IP Address | Required | — | NAT translated destination IP address |
203.0.113.10
|
— |
|
rule_name
Source: rule_names | random
|
String | Required | — | Security policy rule name that processed the traffic |
Allow_DNS
|
Allow_DNS
— DNS traffic permission rule
Block_Malicious
— Malicious traffic blocking rule
Allow_Internal
— Internal network access rule
Allow_Web
— Web browsing permission rule
Default_Rule
— Catch-all default rule
|
|
source_user
Source: registry.get_random_user().username with fallback
|
String | Optional | — | Username associated with source IP |
jsmith
|
— |
|
destination_user
Source: destination_user_names | random
|
String | Optional | — | Username associated with destination |
unknown
|
unknown
— User not identified
admin
— Administrative user
guest
— Guest user account
external
— External user
|
|
application
Source: applications | random
|
String | Required | — | Identified application or service |
dns
|
— |
|
virtual_system
Source: Static value
|
String | Required | — | Virtual system name |
vsys1
|
— |
|
source_zone
Source: source_zones | random
|
String | Required | — | Source security zone |
Trust
|
Trust
— Trusted internal zone
LAN
— Local area network zone
Internal
— Internal network zone
DMZ-In
— DMZ ingress zone
VPN
— VPN user zone
|
|
destination_zone
Source: destination_zones | random
|
String | Required | — | Destination security zone |
Untrust
|
Untrust
— Untrusted external zone
DMZ
— Demilitarized zone
External
— External network zone
Internet
— Internet zone
Partner
— Partner network zone
|
|
ingress_interface
Source: ethernet1/{{ random_int(1, 3) }}
|
String | Required | — | Ingress network interface |
ethernet1/1
|
— |
|
egress_interface
Source: ethernet1/{{ random_int(1, 4) }}
|
String | Required | — | Egress network interface |
ethernet1/2
|
— |
|
log_action
Source: Static value
|
String | Required | — | Log forwarding action |
LogForward
|
— |
|
session_id
Source: random_int(54320, 54399)
|
Integer | Required | — | Unique session identifier |
54350
|
— |
|
repeat_count
Source: Static value
|
Integer | Required | — | Number of session repeats |
1
|
— |
|
source_port
Source: random_port()
|
Integer | Required | — | Source port number |
54321
|
— |
|
destination_port
Source: common_ports | random
|
Integer | Required | — | Destination port number |
53
|
— |
|
nat_source_port
Source: random_port()
|
Integer | Required | — | NAT translated source port |
55123
|
— |
|
nat_destination_port
Source: common_ports | random
|
Integer | Required | — | NAT translated destination port |
80
|
— |
|
flags
Source: {{ random_hex(0, 67108864) }}
|
String | Required |
Hexadecimal
|
TCP flags and session attributes |
0x401000
|
— |
|
protocol
Source: protocols | random
|
String | Required | — | IP protocol |
tcp
|
tcp
— Transmission Control Protocol
udp
— User Datagram Protocol
icmp
— Internet Control Message Protocol
esp
— Encapsulating Security Payload
gre
— Generic Routing Encapsulation
|
|
action
Source: actions | random
|
String | Required | — | Traffic action taken |
allow
|
allow
— Traffic permitted
deny
— Traffic denied
drop
— Traffic dropped silently
reset-client
— Reset sent to client
reset-server
— Reset sent to server
reset-both
— Reset sent to both endpoints
|
|
bytes_sent
Source: random_int(0, 150000)
|
Integer | Required | — | Total bytes sent from source to destination |
1500
|
— |
|
bytes_received
Source: random_int(0, 80000)
|
Integer | Required | — | Total bytes received from destination to source |
800
|
— |
|
packets_sent
Source: random_int(0, 70000)
|
Integer | Required | — | Total packets sent from source to destination |
15
|
— |
|
packets_received
Source: random_int(0, 300)
|
Integer | Required | — | Total packets received from destination to source |
12
|
— |
|
session_start_time
Source: current_timestamp() | format_timestamp('%Y/%m/%d %H:%M:%S')
|
DateTime | Required |
YYYY/MM/DD HH:MM:SS
|
Session start timestamp |
2024/01/15 14:30:20
|
— |
|
elapsed_time
Source: random_int(0, 120)
|
Integer | Required | — | Session duration in seconds |
45
|
— |
|
category
Source: categories | random
|
String | Required | — | URL/Application category |
any
|
— |
|
sequence_number
Source: random_int(7892340, 7892399)
|
Integer | Required | — | Log sequence number |
7892350
|
— |
|
action_flags
Source: Static value
|
String | Required |
Hexadecimal
|
Action-specific flags |
0x0
|
— |
|
source_country
Source: Static value (US)
|
String | Optional |
ISO 3166-1 alpha-2
|
Source IP geolocation country code |
US
|
— |
|
destination_country
Source: src_countries | random
|
String | Optional |
ISO 3166-1 alpha-2
|
Destination IP geolocation country code |
CN
|
— |
|
packets_sent_total
Source: random_int(0, 200)
|
Integer | Optional | — | Total session packets sent |
25
|
— |
|
packets_received_total
Source: random_int(0, 150)
|
Integer | Optional | — | Total session packets received |
20
|
— |
|
session_end_reason
Source: session_end_reasons | random
|
String | Optional | — | Reason for session termination |
aged-out
|
aged-out
— Session timeout
policy-deny
— Denied by policy
tcp-fin
— TCP FIN received
tcp-rst-from-client
— TCP reset from client
tcp-rst-from-server
— TCP reset from server
resources-unavailable
— System resource exhaustion
unknown
— Unknown termination reason
|
|
source_dag
Source: src_dynamic_addr_groups | random
|
String | Optional | — | Source Dynamic Address Group |
Corp-Internal
|
— |
|
destination_dag
Source: dst_dynamic_addr_groups | random
|
String | Optional | — | Destination Dynamic Address Group |
Web-Server
|
— |
|
risk_level
Source: risks | random
|
String | Optional | — | Application risk assessment level |
low
|
low
— Low risk application
medium
— Medium risk application
high
— High risk application
critical
— Critical risk application
informational
— Informational only
|
|
proxy_traffic
Source: proxy_traffic_values | random
|
String | Optional | — | Proxy traffic indicator |
NonProxyTraffic
|
ProxyTraffic
— Traffic through proxy
NonProxyTraffic
— Direct traffic
|
|
tunnel_type
Source: tunnel_types | random
|
String | Optional | — | VPN tunnel type |
primary
|
primary
— Primary tunnel
secondary
— Secondary tunnel
backup
— Backup tunnel
|
Details
49
Fields
Critical
Frequency
5
Tags
traffic
Event Type
Tags:
firewall
network-traffic
policy-enforcement
session-monitoring
threat-prevention
Feedback
No ratings yet