ON THIS PAGE
Creating a Syslog Destination on Your Palo Alto PA Series Device
Forwarding Palo Alto Cortex Data Lake (Next Generation Firewall) LEEF events to JSA
Creating a Forwarding Policy on Your Palo Alto PA Series Device
Creating ArcSight CEF Formatted Syslog Events on Your Palo Alto PA Series Networks Firewall Device
Palo Alto Networks PA Series
Use the JSA DSM for Palo Alto PA Series to collect events from Palo Alto PA Series, Next Generation Firewall logs, and Prisma Access logs, by using Cortex Data Lake.
To send events from Palo Alto PA Series to JSA, complete the following steps:
-
If automatic updates are not enabled, download the most recent version of the following RPMs from the Juniper Downloads.
- DSMCommon RPM
- TLS Syslog Protocol RPM
- Palo Alto PA Series DSM RPM
-
Configure your Palo Alto PA Series device to send events to JSA.
-
If JSA does not automatically detect the Palo Alto PA Series as a log source, add a Palo Alto PA Series log source on the JSA Console.
Palo Alto PA DSM Specifications
The following table identifies the specifications for the Palo Alto PA Series DSM:
Specification |
Value |
|---|---|
Manufacturer |
Palo Alto Networks |
DSM name |
Palo Alto PA Series |
RPM file name |
DSM-PaloAltoPaSeries-JSA_version-build_number.noarch.rpm |
Event format |
LEEF for PAN-OS v3.0 to v9.1, and Prisma Access v2.1 CEF for PAN-OS v4.0 to v6.1. (CEF:0 is supported) |
JSA recorded log types |
Traffic Threat Config System HIP Match Data WildFire Authentication Tunnel Inspection Correlation URL Filtering User-ID SCTP File Data GTP HIP Match IP-Tag Global Protect - Note:
To use this log type, you must enable the EventStatus field in Palo Alto. Decryption |
Automatically discovered? |
Yes |
Includes identity? |
Yes |
Includes custom properties? |
No |
More information |
Creating a Syslog Destination on Your Palo Alto PA Series Device
To send Palo Alto PA Series events to JSA, create a Syslog destination (Syslog or LEEF event format) on your Palo Alto PA Series device.
Palo Alto can send only one format to all Syslog devices. By modifying the Syslog format, any other device that requires Syslog must support that same format.
Log in to the Palo Alto Networks interface.
On the Device tab, click Server Profiles > Syslog, and then click Add.
Create a Syslog destination by following these steps:
In the Syslog Server Profile dialog box, click Add.
Specify the name, server IP address, port, and facility of the JSA system that you want to use as a syslog server.
If you are using Syslog, set the Custom Format column to Default for all log types.
Configure LEEF events by following these steps:
Note:Due to formatting issues, copy the text into a text editor, remove any carriage return or line feed characters, and then paste it into the appropriate field.
-
Click the Config Log Format tab in the Syslog Server Profile dialog.
Click Config, copy the following text and paste it in the Config Log Format column for the Config log type.
-
PAN-OS v3.0 - v6.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$result|x7C|cat=$type| usrName=$admin|src=$host|devTime=$cefformatted- receive_time|client=$client| sequence=$seqno|serial=$serial|msg=$cmd
-
PAN-OS v7.1 - v9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version| $result|x7C|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type| devTime=$cef-formatted-receive_time| src=$host|VirtualSystem=$vsys| msg=$cmd|usrName=$admin|client=$client| Result=$result|ConfigurationPath=$path| sequence=$seqno|ActionFlags=$actionflags| BeforeChangeDetail=$before-change-detail| AfterChangeDetail=$after-change-detail| DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name| DeviceName=$device_name
-
Click System, copy one of the following texts applicable to the version you are using and paste it in the System Log Format field for the System log type. If your version is not listed, omit this step.
-
PAN-OS v3.0 - v6.1--
LEEF:2.0|Palo Alto Networks|PANOS Syslog Integration|4.0|$eventid|x7C| cat=$type|Subtype=$subtype|devTime=$cefformatted- receive_time|sev=$severity| Severity=$number-of-severity|msg=$opaque| Filename=$object
-
PAN-OS v7.1 - v9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version| $eventid|x7C|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type| Subtype=$subtype|devTime=$cef-formattedreceive_ time|VirtualSystem=$vsys| Filename=$object|Module=$module| sev=$number-of-severity| Severity=$severity|msg=$opaque| sequence=$seqno|ActionFlags=$actionflags| DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name| DeviceName=$device_name
-
Click Threat, copy one of the following texts applicable to the version you are using, paste it in the Threat Log Format filed for the Threat log type. If your version is not listed, omit this step.
-
PAN-OS v3.0 - v6.1--
LEEF:2.0|Palo Alto Networks| PAN-OS Syslog Integration|4.0| $threatid|x7C|cat=$type|Subtype=$subtype| src=$src|dst=$dst|srcPort=$sport| dstPort=$dport|proto=$proto| usrName=$srcuser|SerialNumber=$serial| srcPostNAT=$natsrc|dstPostNAT=$natdst| RuleName=$rule|SourceUser=$srcuser| DestinationUser=$dstuser| Application=$app|VirtualSystem=$vsys| SourceZone=$fromDestinationZone=$to| IngressInterface=$inbound_if| EgressInterface=$outbound_if| LogForwardingProfile=$logset| SessionID=$sessionid| RepeatCount=$repeatcnt| srcPostNATPort=$natsport| dstPostNATPort=$natdport| Flags=$flags|URLCategory=$category| sev=$severity|Severity=$numberof- severity|Direction=$direction| ContentType=$contenttype|action=$action| Miscellaneous=$misc
-
PAN-OS v7.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version| $threatid|x7C|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type| Subtype=$subtype|devTime=$cefformatted- receive_time|src=$src| dst=$dst|srcPostNAT=$natsrc| dstPostNAT=$natdst|RuleName=$rule| usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser| Application=$app|VirtualSystem=$vsys| SourceZone=$from|DestinationZone=$to| IngressInterface=$inbound_if| EgressInterface=$outbound_if| LogForwardingProfile=$logset| SessionID=$sessionid| RepeatCount=$repeatcnt|srcPort=$sport| dstPort=$dport|srcPostNATPort=$natsport| dstPostNATPort=$natdport|Flags=$flags| proto=$proto|action=$action| Miscellaneous=$misc|ThreatID=$threatid| URLCategory=$category|sev=$numberof- severity|Severity=$severity| Direction=$direction|sequence=$seqno| ActionFlags=$actionflags| SourceLocation=$srcloc| DestinationLocation=$dstloc| ContentType=$contenttype| PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx| UserAgent=$user_agent|FileType=$filetype| identSrc=$xff|Referer=$referer| Sender=$sender|Subject=$subject| Recipient=$recipient|ReportID=$reportid| DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name| DeviceName=$device_name
-
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version| $threatid|x7C|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type| Subtype=$subtype|devTime=$cefformatted- receive_time|src=$src| dst=$dst|srcPostNAT=$natsrc| dstPostNAT=$natdst|RuleName=$rule| usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser| Application=$app|VirtualSystem=$vsys| SourceZone=$from|DestinationZone=$to| IngressInterface=$inbound_if| EgressInterface=$outbound_if| LogForwardingProfile=$logset| SessionID=$sessionid| RepeatCount=$repeatcnt|srcPort=$sport| dstPort=$dport|srcPostNATPort=$natsport| dstPostNATPort=$natdport|Flags=$flags| proto=$proto|action=$action| Miscellaneous=$misc|ThreatID=$threatid| URLCategory=$category|sev=$numberof- severity|Severity=$severity| Direction=$direction|sequence=$seqno| ActionFlags=$actionflags| SourceLocation=$srcloc| DestinationLocation=$dstloc| ContentType=$contenttype| PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx| RequestMethod=$http_method| Subject=$subject| DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name| DeviceName=$device_name| SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag| ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time| TunnelType=$tunnel| ThreatCategory=$thr_category| ContentVer=$contentver
-
Click Traffic, copy one of the following texts applicable to the version you are using and paste it in the Traffic Log Format field for the Traffic log type. If your version is not listed, omit this step.
-
PAN-OS v3.0 - v6.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|4.0|$action|x7C|cat=$type| src=$src|dst=$dst|srcPort=$sport| dstPort=$dport|proto=$proto| usrName=$srcuser| SerialNumber=$serial| Type=$type|Subtype=$subtype| srcPostNAT=$natsrc|dstPostNAT=$natdst| RuleName=$rule|SourceUser=$srcuser| DestinationUser=$dstuser| Application=$app| VirtualSystem=$vsys| SourceZone=$from|DestinationZone=$to| IngressInterface=$inbound_if| EgressInterface=$outbound_if| LogForwardingProfile=$logset| SessionID=$sessionid| RepeatCount=$repeatcnt| srcPostNATPort=$natsport| dstPostNATPort=$natdport|Flags=$flags| totalBytes=$bytes|totalPackets=$packets| ElapsedTime=$elapsed| URLCategory=$category| dstBytes=$bytes_received| srcBytes=$bytes_sent|action=$action
-
PAN-OS v7.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action| x7C|cat=$type|ReceiveTime=$receive_time| SerialNumber=$serial|Type=$type| Subtype=$subtype|devTime=$cefformatted- receive_time|src=$src| dst=$dst|srcPostNAT=$natsrc| dstPostNAT=$natdst|RuleName=$rule| usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser| Application=$app|VirtualSystem=$vsys| SourceZone=$from|DestinationZone=$to| IngressInterface=$inbound_if| EgressInterface=$outbound_if| LogForwardingProfile=$logset| SessionID=$sessionid| RepeatCount=$repeatcnt|srcPort=$sport| dstPort=$dport|srcPostNATPort=$natsport| dstPostNATPort=$natdport| Flags=$flags|proto=$proto| action=$action|totalBytes=$bytes| dstBytes=$bytes_received| srcBytes=$bytes_sent| totalPackets=$packets| StartTime=$start|ElapsedTime=$elapsed| URLCategory=$category|sequence=$seqno| ActionFlags=$actionflags| SourceLocation=$srcloc| DestinationLocation=$dstloc| dstPackets=$pkts_received| srcPackets=$pkts_sent| SessionEndReason=$session_end_reason| DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name| DeviceName=$device_name| ActionSource=$action_source
-
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action| x7C|cat=$type|ReceiveTime=$receive_time| SerialNumber=$serial|Type=$type| Subtype=$subtype|devTime=$cefformatted- receive_time|src=$src| dst=$dst|srcPostNAT=$natsrc| dstPostNAT=$natdst|RuleName=$rule| usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser| Application=$app|VirtualSystem=$vsys| SourceZone=$from|DestinationZone=$to| IngressInterface=$inbound_if| EgressInterface=$outbound_if| LogForwardingProfile=$logset| SessionID=$sessionid| RepeatCount=$repeatcnt|srcPort=$sport| dstPort=$dport|srcPostNATPort=$natsport| dstPostNATPort=$natdport| Flags=$flags|proto=$proto| action=$action|totalBytes=$bytes| dstBytes=$bytes_received| srcBytes=$bytes_sent| totalPackets=$packets| StartTime=$start|ElapsedTime=$elapsed| URLCategory=$category|sequence=$seqno| ActionFlags=$actionflags| SourceLocation=$srcloc| DestinationLocation=$dstloc| dstPackets=$pkts_received| srcPackets=$pkts_sent| SessionEndReason=$session_end_reason| DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name| DeviceName=$device_name| ActionSource=$action_source| SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag| ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time| TunnelType=$tunnel
-
If you are using versions other than PAN-OS 3.0 - 6.1, click HIP Match, copy one of the following texts applicable to the version you are using, and paste it in the HIP Match Log Format field for the HIP Match log type.
-
PAN-OS v7.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version| $matchname|x7C|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type| Subtype=$subtype|devTime=$cefformatted- receive_time| usrName=$srcuser|VirtualSystem=$vsys| identHostName=$machinename|OS=$os| identSrc=$src|HIP=$matchname| RepeatCount=$repeatcnt|HIPType=$matchtype| sequence=$seqno|ActionFlags=$actionflags| DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name| DeviceName=$device_name
-
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version| $matchname|x7C|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type| Subtype=$subtype|devTime=$cefformatted- receive_time| usrName=$srcuser|VirtualSystem=$vsys| identHostName=$machinename|OS=$os| identsrc=$src|HIP=$matchname| RepeatCount=$repeatcnt|HIPType=$matchtype| sequence=$seqno|ActionFlags=$actionflags| DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name| DeviceName=$device_name| VirtualSystemID=$vsys_id|srcipv6=$srcipv6| startTime=$cef-formatted-time_generated
-
-
If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the URL Filtering log type.
PAN-OS v8.0 - 9.1-
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration| $sender_sw_version|$threatid|x7C|ReceiveTime=$receive_time|SerialNumber=$serial| cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst| srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport| dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags| proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category| sev=$number-of-severity|Severity=$severity|Direction=$direction|sequence=$seqno| ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc| ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest|Cloud=$cloud| URLIndex=$url_idx|RequestMethod=$http_method|UserAgent=$user_agent|identSrc=$xff| Referer=$referer|Subject=$subject|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| SrcUUID=$src_uuid|DstUUID=$dst_uuid|TunnelID=$tunnelid|MonitorTag=$monitortag| ParentSessionID=$parent_session_id|ParentStartTime=$parent_start_time|TunnelType=$tunnel| ThreatCategory=$thr_category|ContentVer=$contentver
-
If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Data log type.
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration| $sender_sw_version|$threatid|x7C|ReceiveTime=$receive_time|SerialNumber=$serial| cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst| srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport| dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags| proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category| sev=$number-of-severity|Severity=$severity|Direction=$direction|sequence=$seqno| ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc| ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|Subject=$subject| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category| ContentVer=$contentver
-
If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Wildfire log type.
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration| $sender_sw_version|$threatid|x7C|ReceiveTime=$receive_time|SerialNumber=$serial| cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst| srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt|srcPort=$sport| dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport|Flags=$flags| proto=$proto|action=$action|Miscellaneous=$misc|ThreatID=$threatid|URLCategory=$category| sev=$number-of-severity|Severity=$severity|Direction=$direction|sequence=$seqno| ActionFlags=$actionflags|SourceLocation=$srcloc|DestinationLocation=$dstloc| ContentType=$contenttype|PCAP_ID=$pcap_id|FileDigest=$filedigest| Cloud=$cloud|URLIndex=$url_idx|RequestMethod=$http_method|FileType=$filetype| Sender=$sender|Subject=$subject|Recipient=$recipient|ReportID=$reportid| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|SrcUUID=$src_uuid|DstUUID=$dst_uuid| TunnelID=$tunnelid|MonitorTag=$monitortag|ParentSessionID=$parent_session_id| ParentStartTime=$parent_start_time|TunnelType=$tunnel|ThreatCategory=$thr_category| ContentVer=$contentver
-
If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Authentication log type.
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$event|x7C|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time| ServerProfile=$serverprofile|LogForwardingProfile=$logset|VirtualSystem=$vsys| AuthPolicy=$authpolicy|ClientType=$clienttype|NormalizeUser=$normalize_user| ObjectName=$object|FactorNumber=$factorno|AuthenticationID=$authid|src=$ip| RepeatCount=$repeatcnt|usrName=$user|Vendor=$vendor|msg=$event|sequence=$seqno| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|AdditionalAuthInfo=$desc| ActionFlags=$actionflags
-
If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the User-ID log type.
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$subtype|x7C|ReceiveTime=$receive_time| SerialNumber=$serial|cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time| FactorType=$factortype|VirtualSystem=$vsys|DataSourceName=$datasourcename| DataSource=$datasource|DataSourceType=$datasourcetype|FactorNumber=$factorno| VirtualSystemID=$vsys_id|TimeoutThreshold=$timeout|src=$ip|srcPort=$beginport| dstPort=$endport|RepeatCount=$repeatcnt|usrName=$user|sequence=$seqno|EventID=$eventid| FactorCompletionTime=$factorcompletiontime|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| ActionFlags=$actionflags
-
If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Tunnel Inspection log type.
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action|x7C|ReceiveTime=$receive_time|SerialNumber=$serial| cat=$type|Subtype=$subtype|devTime=$cef-formatted-receive_time|src=$src|dst=$dst| srcPostNAT=$natsrc|dstPostNAT=$natdst|RuleName=$rule|usrName=$srcuser|SourceUser=$srcuser| DestinationUser=$dstuser|Application=$app|VirtualSystem=$vsys|SourceZone=$from| DestinationZone=$to|IngressInterface=$inbound_if|EgressInterface=$outbound_if| LogForwardingProfile=$logset|SessionID=$sessionid|RepeatCount=$repeatcnt| srcPort=$sport|dstPort=$dport|srcPostNATPort=$natsport|dstPostNATPort=$natdport| Flags=$flags|proto=$proto|action=$action|sequence=$seqno|ActionFlags=$actionflags| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|TunnelID=$tunnelid|MonitorTag=$monitortag| ParentSessionID=$parent_session_id|ParentStartTime=$parent_start_time|TunnelType=$tunnel| totalBytes=$bytes|dstBytes=$bytes_received|srcBytes=$bytes_sent|totalPackets=$packets| dstPackets=$pkts_received|srcPackets=$pkts_sent|MaximumEncapsulation=$max_encap| UnknownProtocol=$unknown_proto|StrictChecking=$strict_check| TunnelFragment=$tunnel_fragment|SessionsCreated=$sessions_created| SessionsClosed=$sessions_closed|SessionEndReason=$session_end_reason| ActionSource=$action_source|startTime=$start|ElapsedTime=$elapsed
-
If you are using PAN-OS 8.0 - 9.1, copy the following text and paste it in the Custom Format column for the Correlation log type.
PAN-OS v8.0 - 9.1--
LEEF:2.0|Palo Alto Networks|PANOS Syslog Integration|8.0|$category|ReceiveTime=$receive_time| x7C|SerialNumber=$serial|cat=$type|devTime=$cef-formatted-receive_time|startTime=$cefformatted- time_generated|Severity=$severity|VirtualSystem=$vsys|VirtualSystemID=$vsys_id| src=$src|SourceUser=$srcuser|msg=$evidence|DeviceGroupHierarchyL1=$dg_hier_level_1| DeviceGroupHierarchyL2=$dg_hier_level_2|DeviceGroupHierarchyL3=$dg_hier_level_3| DeviceGroupHierarchyL4=$dg_hier_level_4|vSrcName=$vsys_name|DeviceName=$device_name| ObjectName=$object_name|ObjectID=$object_id
-
If you are using PAN-OS 8.1 - 9.1, copy the following text, and paste it in the Custom Format column for the SCTP log type.
PAN-OS v8.1 - 9.1
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version|$action| x7C|ReceiveTime=$receive_time|SerialNumber=$serial|cat=$type|genTime=$time_generated| src=$src|dst=$dst|VirtualSystem=$vsys|SourceZone=$from|DestinationZone=$to| IngressInterface=$inbound_if|EgressInterface=$outbound_if|SessionID=$sessionid| RepeatCount=$repeatcnt|srcPort=$sport|dstPort=$dport|proto=$proto|action=$action| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vsysName=$vsys_name|DeviceName=$device_name|sequence=$seqno|AssocID=$assoc_id| PayloadProtoID=$ppid|sev=$num_of_severity|SCTPChunkType=$sctp_chunk_type| SCTPVerTag1=$verif_tag_1|SCTPVerTag2=$verif_tag_2|SCTPCauseCode=$sctp_cause_code| DiamAppID=$diam_app_id|DiamCmdCode=$diam_cmd_code|DiamAVPCode=$diam_avp_code| SCTPStreamID=$stream_id|SCTPAssEndReason=$assoc_end_reason|OpCode=$op_code| CPSSN=$sccp_calling_ssn|CPGlobalTitle=$sccp_calling_gt|SCTPFilter=$sctp_filter| SCTPChunks=$chunks|SrcSCTPChunks=$chunks_sent|DstSCTPChunks=$chunks_received| Packets=$packets|srcPackets=$pkts_sent|dstPackets=$pkts_received
-
If you are using PAN-OS 9.x, copy the following text, and paste it in the Custom Format column for the IPTag log type.
LEEF:2.0|Palo Alto Networks|PAN-OS Syslog Integration|$sender_sw_version| $event_id|x7C|cat=$type|devTime=$cef-formatted-receive_time|ReceiveTime=$receive_time| SerialNumber=$serial|Subtype=$subtype|GenerateTime=$time_generated| VirtualSystem=$vsys|src=$ip|TagName=$tag_name|EventID=$eventid|RepeatCount=$repeatcnt| TimeoutThreshold=$timeout|DataSourceName=$datasourcename|DataSource=$datasource_type| DataSourceType=$datasource_subtype|sequence=$seqno|ActionFlags=$actionflags| DeviceGroupHierarchyL1=$dg_hier_level_1|DeviceGroupHierarchyL2=$dg_hier_level_2| DeviceGroupHierarchyL3=$dg_hier_level_3|DeviceGroupHierarchyL4=$dg_hier_level_4| vSrcName=$vsys_name|DeviceName=$device_name|VirtualSystemID=$vsys_id
-
Click OK.
To specify the severity of events that are contained in the Syslog messages, click Log Setting.
For each severity that you want to include in the Syslog message, click the Severity name and select the Syslog destination from the Syslog menu.
Click OK.
Click Commit.
To allow communication between your Palo Alto Networks device and JSA, create a forwarding policy. See Creating a forwarding policy on your Palo Alto PA Series device.
Forwarding Palo Alto Cortex Data Lake (Next Generation Firewall) LEEF events to JSA
To send Palo Alto Cortex Data Lake events to JSA, you must add a TLS Syslog log source in JSA and configure Cortex Data Lake to forward logs to a syslog server.
-
Add a log source in JSA by using the TLS Syslog protocol. For more information, see TLS Syslog log source parameters for Palo Alto PA Series.
-
Forward logs from Cortex Data Lake to JSA. For more information, see your Palo Alto documentation.
-
When forwarding logs from Cortex Data Lake, choose the LEEF log format.
-
You must enable the cat and EventStatus fields in Palo Alto. The EventStatus field is required to parse Global Protect events in JSA.
Creating a Forwarding Policy on Your Palo Alto PA Series Device
If your JSA Console or Event Collector is in a different security zone than your Palo Alto PA Series device, create a forwarding policy rule.
Log in to Palo Alto Networks.
On the dashboard, click the Policies tab.
Click Policies > Policy Based Forwarding.
Click Add.
Configure the parameters. For descriptions of the policy-based forwarding values, see your Palo Alto Networks Administrator’s Guide.
Creating ArcSight CEF Formatted Syslog Events on Your Palo Alto PA Series Networks Firewall Device
Configure your Palo Alto Networks firewall to send ArcSight CEF formatted Syslog events to JSA.
Log in to the Palo Alto Networks interface.
Click the Device tab.
Select Server Profiles >Syslog, and then click Add.
On the Servers tab, click Add.
Specify the name, server IP address, port, and facility of the JSA system that you want to use as a Syslog server:
The Name is the Syslog server name.
The Syslog Server is the IP address for the Syslog server.
The Transport/Port default is 514.
The Faculty default is LOG_USER.
To select any of the listed log types that define a custom format, based on the ArcSight CEF for that log type, complete the following steps:
Click the Custom Log Format tab and select any of the listed log types to define a custom format based on the ArcSight CEF for that log type. The listed log types are Config, System, Threat, Traffic, and HIP Match.
Click OK twice to save your entries, then click Commit.
To define your own CEF-style formats that use the event mapping table that is provided in the ArcSight document, Implementing ArcSight CEF, you can use the following information about defining CEF style formats:
The Custom Log Format tab supports escaping any characters that are defined in the CEF as special characters. For example, to use a backslash to escape the backslash and equal characters, enable the Escaping check box, specify \=as the Escaped Characters and \as the Escape Character.
The following list displays the CEF-style format that was used during the certification process for each log type. These custom formats include all of the fields, in a similar order, that the default format of the Syslogs display.
Note:Due to PDF formatting, do not copy and paste the message formats directly into the PAN-OS web interface. Instead, paste into a text editor, remove any carriage return or line feed characters, and then copy and paste into the web interface.
-
Traffic--
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action flexNumber1Label=Total bytes flexNumber1=$bytes in=$bytes_sent out=$bytes_received cn2Label=Packets cn2=$packets PanOSPacketsReceived=$pkts_received PanOSPacketsSent=$pkts_sent start=$cef-formattedtime_ generated cn3Label=Elapsed time in seconds cn3=$elapsed cs2Label=URL Category cs2=$category externalId=$seqno
-
Threat--
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|$number-of-severity|rt=$cefformatted- receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action request=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype cat=$threatid filePath=$cloud fileId=$pcap_id fileHash=$filedigest
-
Config--
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$result|$type|1|rt=$cef-formatted-receive_time deviceExternalId=$serial dvchost=$host cs3Label=Virtual System cs3=$vsys act=$cmd duser=$admin destinationServiceName=$client msg=$path externalId=$seqno
-
-
Optional:--
cs1Label=Before Change Detail cs1=$before-change-detail cs2Label=After Change Detail cs2=$after-change-detail
-
-
System--
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$subtype|$type|$number-of-severity|rt=$cefformatted- receive_time deviceExternalId=$serial cs3Label=Virtual System cs3=$vsys fname=$object flexString2Label=Module flexString2=$module msg=$opaque externalId=$seqno cat=$eventid
-
HIP Match--
CEF:0|Palo Alto Networks|PAN-OS|6.0.0|$matchtype|$type|1|rt=$cef-formattedreceive_ time deviceExternalId=$serial suser=$srcuser cs3Label=Virtual System cs3=$vsys shost=$machinename src=$src cnt=$repeatcnt externalId=$seqno cat=$matchname cs2Label=Operating System cs2=$os
-
For more information about Syslog configuration, see the PAN-OS Administrator's Guide on the Palo Alto Networks website (https://www.paloaltonetworks.com).
TLS Syslog log source parameters for Palo Alto PA Series
If JSA does not automatically detect the log source, add a Palo Alto PA Series log source on the JSA Console by using the TLS Syslog protocol.
When you use the TLS Syslog protocol, there are specific parameters that you must configure.
The following table describes the parameters that require specific values to collect TLS Syslog events from Palo Alto PA Series:
|
Parameter |
Value |
|---|---|
|
Log Source type |
Palo Alto PA Series |
|
Protocol Configuration |
TLS Syslog |
|
Log Source Identifier |
An IP address or hostname to identify the log source. |
For a complete list of TLS Syslog protocol parameters and their values, see TLS Syslog Protocol Configuration Options.
Palo Alto PA Series Sample Event Message
Use these sample event messages as a way of verifying a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Palo Alto PA Series sample message when you use the Syslog protocol
Sample 1: The following sample event message shows PAN-OS events for a trojan threat event.
<180>May 6 16:43:53 paloalto.paseries.test LEEF:1.0| Palo Alto Networks|PAN-OS Syslog Integration|8.1.6|trojan/ PDF.gen.eiez(268198686)|ReceiveTime=2019/05/06 16:43:53|SerialNumber=001801010877|cat=THREAT| Subtype=virus|devTime=May 06 2019 11:13:53 GMT|src=10.2.75.41|dst=192.168.178.180| srcPostNAT=192.168.68.141|dstPostNAT=192.168.178.180|RuleName=Test-1|usrName=qradar\\user1| SourceUser=qradar\\user1|DestinationUser=|Application=web-browsing|VirtualSystem=vsys1| SourceZone=INSIDE-ZN|DestinationZone=OUTSIDE-ZN|IngressInterface=ethernet1/1| EgressInterface=ethernet1/3|LogForwardingProfile=testForwarder|SessionID=3012|RepeatCount=1| srcPort=63508|dstPort=80|srcPostNATPort=31539|dstPostNATPort=80|Flags=0x406000|proto=tcp| action=alert|Miscellaneous=\"qradar.example.test/du/uploads/08052018_UG_FAQ.pdf\"| ThreatID=trojan/PDF.gen.eiez(268198686)|URLCategory=educational-institutions|sev=3| Severity=medium|Direction=server-to-client|sequence=486021038|ActionFlags=0xa000000000000000| SourceLocation=10.0.0.0-10.255.255.255|DestinationLocation=testPlace|ContentType=| PCAP_ID=0|FileDigest=|Cloud=|URLIndex=5|RequestMethod=|Subject=|DeviceGroupHierarchyL1=12| DeviceGroupHierarchyL2=0|DeviceGroupHierarchyL3=0|DeviceGroupHierarchyL4=0|vSrcName=| DeviceName=testName|SrcUUID=|DstUUID=|TunnelID=0|MonitorTag=|ParentSessionID=0|ParentStartTime=| TunnelType=N/A|ThreatCategory=pdf|ContentVer=Antivirus-2969-3479
|
JSA field name |
Highlighted payload fields |
|---|---|
|
Event ID |
The Event ID value is 268198686. Note:
Usually the Event ID field from the LEEF header is used. However, for certain event types, more LEEF fields or custom fields such as Subtype, and action might be used to form a unique event ID. |
|
Category |
PA Series Threat Note:
The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category. |
|
Device Time |
devTime |
|
Source IP |
src |
|
Destination IP |
dst |
|
Source Port |
srcPort |
|
Destination Port |
dstPort |
|
Post NAT Source IP |
srcPostNAT |
|
Post NAT Destination IP |
dstPostNAT |
|
Post NAT Soure Port |
srcPostNATPort |
|
Post NAT Destination Port |
dstPostNATPort |
|
Protocol |
proto |
Sample 2: The following sample event message shows a Prisma event where a session is allowed by a policy.
<14>1 2021-10-26T13:56:21.887Z paloalto.paseries.test logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Prisma Access|2.1|allow| | TimeReceived=2021-10-26T13:56:20.000000Z DeviceSN=no-serial cat=traffic SubType=start ConfigVersion=10.0 devTime=2021-10-26T13:56:17.000000Z src=192.168.21.100 dst=172.16.0.3 srcPostNAT=172.16.0.4 dstPostNAT=172.16.0.5 Rule=CG-RN-Guest-to-Internet usrName= DestinationUser= Application=web-browsing VirtualLocation=vsys1 FromZone=FromZone ToZone=untrust InboundInterface=tunnel.101 OutboundInterface=ethernet1/1 LogSetting=to- Cortex-Data-Lake SessionID=49934 RepeatCount=1 srcPort=59532 dstPort=80 sr=49718 dstPostNATPort=80 proto=tcp Bytes=374 srcBytes=300 dstBytes=74 totalPackets=4 SessionStartTime=2021-10-26T13:56:15.000000Z SessionDuration=0 URLCategory=any SequenceNo=13336648 SourceLocation=192.168.0.0-192.168.255.255 DestinationLocation=CA srcPackets=3 dstPackets=1 SessionEndReason=na DGHierarchyLevel1=62 DGHierarchyLevel2=38 DGHierarchyLevel3=53 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=DeviceName ActionSource=frompolicy SourceUUID= DestinationUUID= IMSI=0 IMEI= ParentSessionID=0 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=N/A EndpointAssociationID=0 ChunksTotal=0 ChunksSent=0 ChunksReceived=0 RuleUUID=00000000-0000-0000-0000-000000000000 HTTP2Connection=0 LinkChangeCount=0 SDWANPolicyName= LinkSwitches= SDWANCluster= SDWANDeviceType= SDWANClusterType= SDWANSite= DynamicUserGroupName= XForwarded- ForIP= SourceDeviceCategory= SourceDeviceProfile= SourceDeviceModel= SourceDeviceVendor= SourceDeviceOSFamily= SourceDeviceOSVersion= SourceDeviceHost= SourceDeviceMac= DestinationDeviceCategory= DestinationDeviceProfile= DestinationDeviceModel= DestinationDeviceVendor= DestinationDeviceOSFamily= DestinationDeviceOSVersion= DestinationDeviceHost= DestinationDeviceMac= ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= GPHostID= EndpointSerialNumber= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= HASessionOwner= TimeGeneratedHighResolution=2021-10-26T13:56:17.911000Z NSSAINetworkSliceType= NSSAINetworkSliceDifferentiator= devTimeFormat=YYYY-MM-DD'T'HH:mm:ss.SSSZ
|
JSA field name |
Highlighted payload fields |
|---|---|
|
Event ID |
The Event ID value is allow. |
|
Event Category |
PA Series Traffic Note:
The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category. |
|
Device Time |
devTime |
|
Source IP |
src |
|
Destination IP |
dst |
|
Source Port |
srcPort |
|
Destination Port |
dstPort |
|
Post NAT Source IP |
srcPostNAT |
|
Post NAT Destination IP |
dstPostNAT |
|
Post NAT Soure Port |
sr |
|
Post NAT Destination Port |
dstPostNATPort |
|
Protocol |
proto |
Palo Alto PA Series sample message when you use the TLS Syslog protocol
The following sample event message shows Next Generation Firewall events for version 10.1.
<14>1 2021-08-09T14:00:26.364Z paloalto.paseries.test logforwarder - panwlogs - LEEF:2.0|Palo Alto Networks|Next Generation Firewall|10.1|drop-all| | TimeReceived=2021-08-09T14:00:25.000000Z DeviceSN=001011000011111 cat=gtp SubType=end ConfigVersion=10.1 devTime=2021-08-09T14:00:22.000000Z src=fc00:0:e426:5678:b202:b3ff:fe1e:8329 dst=fc00:5678:90aa:cc33:f202:b3ff:fe1e:8329 srcPostNAT=10.5.5.5 dstPostNAT=192.168.178.180 Rule=allow-all-employees usrName=paloaltonetwork\testUser DestinationUser=paloaltonetwork\tUser Application=adobe-cq VirtualLocation=aaaa1 FromZone=corporate ToZone=corporate InboundInterface=ethernet1/1 OutboundInterface=ethernet1/3 LogSetting=rs-logging SessionID=1111111 RepeatCount=1 srcPort=10273 dstPort=27624 srcPostNATPort=26615 dstPostNATPort=6501 proto=tcp TunnelEventType=51 MobileSubscriberISDN= AccessPointName= RadioAccessTechnology=11 TunnelMessageType=0 MobileIP= TunnelEndpointID1=0 TunnelEndpointID2=0 TunnelInterface=0 TunnelCauseCode=0 VendorSeverity=Unused MobileCountryCode=0 MobileNetworkCode=0 MobileAreaCode=0 MobileBaseStationCode=0 TunnelEventCode=0 SequenceNo=1111111111111111111 SourceLocation=NB DestinationLocation=saint john DGHierarchyLevel1=12 DGHierarchyLevel2=0 DGHierarchyLevel3=0 DGHierarchyLevel4=0 VirtualSystemName= DeviceName=PA-VM IMSI=28 IMEI=datacenter ParentSessionID=1111111 ParentStarttime=1970-01-01T00:00:00.000000Z Tunnel=tunnel Bytes=741493 srcBytes=277595 dstBytes=463898 totalPackets=1183 srcPackets=554 dstPackets=629 PacketsDroppedMax=58 PacketsDroppedProtocol=34 PacketsDroppedStrict=171 PacketsDroppedTunnel=773 TunnelSessionsCreated=537 TunnelSessionsClosed=206 SessionEndReason=unknown ActionSource=unknown startTime=2021-08-09T13:59:51.000000Z SessionDuration=35 TunnelInspectionRule=gtp TunnelRemoteUserIP= TunnelRemoteIMSIID=0 RuleUUID=11a111aa-1a11-1a1a-11a1-1a11a11111a1 DynamicUserGroupName=dynug-4 ContainerID= ContainerNameSpace= ContainerName= SourceEDL= DestinationEDL= SourceDynamicAddressGroup= DestinationDynamicAddressGroup= TimeGeneratedHighResolution=2021-08-09T14:00:22.079000Z NSSAINetworkSliceDifferentiator=0 NSSAINetworkSliceType=0 ProtocolDataUnitsessionID=0 devTimeFormat=YYYY-MM-DDTHH:mm:ss.SSSSSSZ
|
JSA field name |
Highlighted payload fields |
|---|---|
|
Event ID |
drop-all (LEEF header Event ID field) Note:
Usually the Event ID field from the LEEF header is used. However, for certain event types, more LEEF fields or custom fields such as Subtype, and action might be used to form a unique event ID. |
|
Category |
PA Series GTP Note:
The value of the cat field is not used directly as the Category of the event. The value of this field is used to determine a predefined set of category values. For certain event types, more LEEF fields or custom fields can be used to form a unique event Category. |
|
Device Time |
devTime |
|
Source IPv6 |
src |
|
Destination IPv6 |
dst |
|
Source Port |
SrcPort |
|
Destination Port |
dstPort |
|
Post NAT Source IP |
srcPostNAT |
|
Post NAT Destination IP |
dstPostNAT |
|
Post NAT Soure Port |
srcPostNATPort |
|
Post NAT Destination Port |
dstPostNATPort |
|
Protocol |
tcp |
|
Username |
usrName Note:
If a username contains the domain as part of its value, the domain portion is removed and only the actual username portion is used. |