Cloud NGFW for AWS Threat Log Fields
Table of Contents
Expand all | Collapse all
-
- About Cloud NGFW for AWS
- Getting Started from the AWS Marketplace
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for AWS Pricing
- Cloud NGFW Credit Distribution and Management
- Cloud NGFW for AWS Free Trial
- Cloud NGFW for AWS Limits and Quotas
- Subscribe to Cloud NGFW for AWS
- Locate Your Cloud NGFW for AWS Serial Number
- Cross-Account Role CFT Permissions for Cloud NGFW
- Invite Users to Cloud NGFW for AWS
- Manage Cloud NGFW for AWS Users
- Deploy Cloud NGFW for AWS with the AWS Firewall Manager
- Enable Programmatic Access
- Terraform Support for Cloud NGFW AWS
- Provision Cloud NGFW Resources to your AWS CFT
- Configure Automated Account Onboarding
- Usage Explorer
- Create a Support Case
- Cloud NGFW for AWS Certifications
- Cloud NGFW for AWS Privacy and Data Protection
-
-
- Prepare for Panorama Integration
- Link the Cloud NGFW to Palo Alto Networks Management
- Unlink the Cloud NGFW from Palo Alto Networks Management
- Associate a Linked Panorama to the Cloud NGFW Resource
- Use Panorama for Cloud NGFW Policy Management
- View Cloud NGFW Logs and Activity in Panorama
- View Cloud NGFW Logs in Strata Logging Service
- Tag Based Policies
- Configure Zone-based Policy Rules
- Enterprise Data Loss Prevention (E-DLP) Integration with Cloud NGFW for AWS
-
- Strata Cloud Manager Policy Management
Cloud NGFW for AWS Threat Log Fields
Field Name | Description |
---|---|
Generated Time (time_generated or cef-formatted-time_generated) | Time the log was generated on the dataplane. |
Source address (src_ip) | Original session source IP address. |
Source Port (sport) | Source port utilized by the session. |
Session ID (sessionid) | An internal numerical identifier applied
to each session. |
Destination address (dst_ip) | Original session destination IP address. |
Destination Port (dport) | Destination port utilized by the session. |
IP Protocol (proto) | IP protocol associated with the session. |
Application (app) | Application associated with the session. |
Rule Name (rule) | Name of the rule that the session matched. |
Action (action) | Action taken for the session; values are
alert, allow, deny, drop, drop-all-packets, reset-client, reset-server,
reset-both, block-url.
|
Threat Category (threat_category) | Describes threat categories used to classify
different types of threat signatures. |
Threat/Content Type (threat_content_type) | Subtype of threat log. Values include the
following:
|
Threat/Content Name (threat_content_name) | Palo Alto Networks identifier for known
and custom threats. It is a description string followed by a 64-bit
numerical identifier in parentheses for some Subtypes:
Threat
ID ranges for virus detection, WildFire signature feed, and DNS
C2 signatures used in previous releases have been replaced with
permanent, globally unique IDs. Refer to the Threat/Content Type
(subtype) and Threat Category (thr_category) field names to create
updated reports, filter threat logs, and ACC activity. |
Severity (severity) | Severity associated with the threat; values
are informational, low, medium, high, critical. |
Direction (direction) | Indicates the direction of the attack, client-to-server
or server-to-client:
|
Repeat Count (repeatcnt) | Number of sessions with same Source IP,
Destination IP, Application, and Content/Threat Type seen within
5 seconds. |
Reason (data_filter_reason) | Reason for Data Filtering action. |
XFF Address (xff_ip) | The IP address of the user who requested
the web page or the IP address of the next to last device that the
request traversed. If the request goes through one or more proxies,
load balancers, or other upstream devices, the firewall displays
the IP address of the most recent device. |
Content Version (contentver) | Applications and Threats version on your
firewall when the log was generated. |