Calculate the flag from logged value of Traffic Log PanOS 8.1

gnikesh — Fri, 05 Apr 2019 01:31:36 GMT

According to Documentation,

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslog-field-descriptions/traffic-log-fields.html

The field Flags is a 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value.

In my Traffic Log:

<14>Apr 3 11:35:32 HQFW01 1,2019/04/03 11:35:31,XXXXXXXXXXXXX,TRAFFIC,end,2049,2019/04/03 11:35:31,XX.XX.XX.XX,XX.XX.XX.XX,XX.XX.XX.XX,XX.XX.XX.XX,Guest Internet Access,,,abcde,vsys1,Guest,Untrust,XXX,XXX,default,2019/04/03 11:35:31,31450,1,19786,3139,58657,3479,0x500019,udp,allow,504,270,234,6,2019/04/03 11:30:31,0,any,0,4233345645,0x0,XX.XX.XX.XX-XX.XX.XX.XX,United States,0,3,3,aged-out,0,0,0,0,,FW01,from-policy,,,0,,0,,N/A,0,0,0,0

I see the flag value 0x500019. I am not sure how this value is calculated.

Can someone please explain which flags generates this value and how can we calculate it?

Re: Calculate the flag from logged value of Traffic Log PanOS 8.1

ram_gubhaju — Fri, 05 Apr 2019 05:29:23 GMT

The flags for 8.1 log is as follows

0x80000000—session has a packet capture (PCAP)
0x40000000—option is enabled to allow a client to use multiple paths to connect to a destination host
0x20000000—file is submitted to WildFire for a verdict
0x10000000—enterprise credential submission by end user detected
0x08000000— source for the flow is whitelisted and not subject to recon protection
0x02000000—IPv6 session
0x01000000—SSL session is decrypted (SSL Proxy)
0x00800000—session is denied via URL filtering
0x00400000—session has a NAT translation performed
0x00200000—user information for the session was captured through Captive Portal
0x00100000—application traffic is on a non-standard destination port
0x00080000 —X-Forwarded-For value from a proxy is in the source user field
0x00040000—log corresponds to a transaction within a http proxy session (Proxy Transaction)
0x00020000—Client to Server flow is subject to policy based forwarding
0x00010000—Server to Client flow is subject to policy based forwarding
0x00008000—session is a container page access (Container Page)
0x00002000—session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above.
0x00000800—symmetric return is used to forward traffic for this session
0x00000400—decrypted traffic is being sent out clear text through a mirror port
0x00000100—payload of the outer tunnel is being inspected

So the flag value available in the log, in your case "0x500019" should be AND with all the predefined hex value. If the value return after ANDing is matched with the predefined flag, then that is the flag for your log.

In your case, for "0x500019" it matches with

0x00400000 :session has a NAT translation performed
0x00100000 :application traffic is on a non-standard destination port

i.e. 0x500019 AND 0x00400000= 0x00400000

0x500019 AND 0x00100000=0x00100000

But the AND value results into zero for another predefined flag.

e.g. 0x500019 AND 0x00000100=0x0

So for given log, flag is "session has a NAT translation performed" and "application traffic is on a non-standard destination port"

topic Re: Calculate the flag from logged value of Traffic Log PanOS 8.1 in General Topics

Calculate the flag from logged value of Traffic Log PanOS 8.1

Re: Calculate the flag from logged value of Traffic Log PanOS 8.1