Calculate the flag from logged value of Traffic Log PanOS 8.1

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Calculate the flag from logged value of Traffic Log PanOS 8.1

L1 Bithead

According to Documentation, 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/monitoring/use-syslog-for-monitoring/syslo...

 

The field Flags is a 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value.
 
In my Traffic Log:
 
<14>Apr 3 11:35:32 HQFW01 1,2019/04/03 11:35:31,XXXXXXXXXXXXX,TRAFFIC,end,2049,2019/04/03 11:35:31,XX.XX.XX.XX,XX.XX.XX.XX,XX.XX.XX.XX,XX.XX.XX.XX,Guest Internet Access,,,abcde,vsys1,Guest,Untrust,XXX,XXX,default,2019/04/03 11:35:31,31450,1,19786,3139,58657,3479,0x500019,udp,allow,504,270,234,6,2019/04/03 11:30:31,0,any,0,4233345645,0x0,XX.XX.XX.XX-XX.XX.XX.XX,United States,0,3,3,aged-out,0,0,0,0,,FW01,from-policy,,,0,,0,,N/A,0,0,0,0
 
I see the flag value 0x500019. I am not sure how this value is calculated.
 
Can someone please explain which flags generates this value and how can we calculate it?
1 accepted solution

Accepted Solutions

L0 Member

The flags for 8.1 log is as follows

  • 0x80000000—session has a packet capture (PCAP)
  • 0x40000000—option is enabled to allow a client to use multiple paths to connect to a destination host
  • 0x20000000—file is submitted to WildFire for a verdict
  • 0x10000000—enterprise credential submission by end user detected
  • 0x08000000— source for the flow is whitelisted and not subject to recon protection
  • 0x02000000—IPv6 session
  • 0x01000000—SSL session is decrypted (SSL Proxy)
  • 0x00800000—session is denied via URL filtering
  • 0x00400000—session has a NAT translation performed
  • 0x00200000—user information for the session was captured through Captive Portal
  • 0x00100000—application traffic is on a non-standard destination port
  • 0x00080000 —X-Forwarded-For value from a proxy is in the source user field
  • 0x00040000—log corresponds to a transaction within a http proxy session (Proxy Transaction)
  • 0x00020000—Client to Server flow is subject to policy based forwarding
  • 0x00010000—Server to Client flow is subject to policy based forwarding
  • 0x00008000—session is a container page access (Container Page)
  • 0x00002000—session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above.
  • 0x00000800—symmetric return is used to forward traffic for this session
  • 0x00000400—decrypted traffic is being sent out clear text through a mirror port
  • 0x00000100—payload of the outer tunnel is being inspected

So the flag value available in the log, in your case "0x500019" should be AND with all the predefined hex value. If the value return after ANDing is matched with the predefined flag, then that is the flag for your log.

 

In your case, for "0x500019" it matches with

0x00400000 :session has a NAT translation performed
0x00100000 :application traffic is on a non-standard destination port

 

i.e. 0x500019 AND 0x00400000= 0x00400000

0x500019 AND 0x00100000=0x00100000

 

But the AND value results into zero for another predefined flag.

e.g. 0x500019 AND 0x00000100=0x0

 

So for given log, flag is "session has a NAT translation performed" and "application traffic is on a non-standard destination port"

 

View solution in original post

1 REPLY 1

L0 Member

The flags for 8.1 log is as follows

  • 0x80000000—session has a packet capture (PCAP)
  • 0x40000000—option is enabled to allow a client to use multiple paths to connect to a destination host
  • 0x20000000—file is submitted to WildFire for a verdict
  • 0x10000000—enterprise credential submission by end user detected
  • 0x08000000— source for the flow is whitelisted and not subject to recon protection
  • 0x02000000—IPv6 session
  • 0x01000000—SSL session is decrypted (SSL Proxy)
  • 0x00800000—session is denied via URL filtering
  • 0x00400000—session has a NAT translation performed
  • 0x00200000—user information for the session was captured through Captive Portal
  • 0x00100000—application traffic is on a non-standard destination port
  • 0x00080000 —X-Forwarded-For value from a proxy is in the source user field
  • 0x00040000—log corresponds to a transaction within a http proxy session (Proxy Transaction)
  • 0x00020000—Client to Server flow is subject to policy based forwarding
  • 0x00010000—Server to Client flow is subject to policy based forwarding
  • 0x00008000—session is a container page access (Container Page)
  • 0x00002000—session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above.
  • 0x00000800—symmetric return is used to forward traffic for this session
  • 0x00000400—decrypted traffic is being sent out clear text through a mirror port
  • 0x00000100—payload of the outer tunnel is being inspected

So the flag value available in the log, in your case "0x500019" should be AND with all the predefined hex value. If the value return after ANDing is matched with the predefined flag, then that is the flag for your log.

 

In your case, for "0x500019" it matches with

0x00400000 :session has a NAT translation performed
0x00100000 :application traffic is on a non-standard destination port

 

i.e. 0x500019 AND 0x00400000= 0x00400000

0x500019 AND 0x00100000=0x00100000

 

But the AND value results into zero for another predefined flag.

e.g. 0x500019 AND 0x00000100=0x0

 

So for given log, flag is "session has a NAT translation performed" and "application traffic is on a non-standard destination port"

 

  • 1 accepted solution
  • 7022 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!