This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Flags in Syslog

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Flags in Syslog

Remo
L7 Applicator

‎07-28-2017 05:20 AM

Hi all

 

Paloalto is able to forward logs to a syslog server. So far so good. In these logs there is a hex-value which indicates what was done with this session.

In the documentation ( https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/syslog-field-descriptions ) there are these known flag values:

  • 0x80000000 —session has a packet capture (PCAP)
  • 0x02000000 —IPv6 session
  • 0x01000000 —SSL session was decrypted (SSL Proxy)
  • 0x00800000 —session was denied via URL filtering
  • 0x00400000 —session has a NAT translation performed (NAT)
  • 0x00200000 —user information for the session was captured through Captive Portal
  • 0x00080000 —X-Forwarded-For value from a proxy is in the source user field
  • 0x00040000 —log corresponds to a transaction within a http proxy session (Proxy Transaction)
  • 0x00008000 —session is a container page access (Container Page)
  • 0x00002000 —session has a temporary match on a rule for implicit application dependency handling. Available in PAN-OS 5.0.0 and above.
  • 0x00000800 —symmetric return was used to forward traffic for this session

Now the question is: What do other values mean which are not in the documentation?

For example in one log we have 0x150001c:

          0001 0101 0000 0000 0000 0001 1100

          0001 0000 0000 0000 0000 0000 0000 --> Decrypted

          0000 0100 0000 0000 0000 0000 0000 --> NAT applied

... obviously this session was decrypted and has NAT applied...

 

          0000 0001 0000 0000 0000 0001 1100 --> what do these values mean?

 

Does someone know more about these flags?

         

 

3 people had this problem.
0 Likes Likes
0 REPLIES 0
  • 2238 Views
  • 0 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks