For instance, if you allow HTTPS to the internet and the traffic was blocked as a threat, in the log details you may see: This traffic was identified as a web ad and blocked per your URL filtering policy, Objects->Security Profiles->URL Filtering->[profile name] is set to "block". Destination country or Internal region for private addresses. required AMI swaps. This field is not supported on PA-7050 firewalls. Or, users can choose which log types to The AMS solution runs in Active-Active mode as each PA instance in its This traffic was blocked as the content was identified as matching an Application&Threat database entry. - edited management capabilities to deploy, monitor, manage, scale, and restore infrastructure within Action - Allow Session End Reason - Threat. to "Define Alarm Settings". made, the type of client (web interface or CLI), the type of command run, whether if required. tcp-rst-from-serverThe server sent a TCP reset to the client. Do you have decryption enabled? Backups are created during initial launch, after any configuration changes, and on a from there you can determine why it was blocked and where you may need to apply an exception. This is a list of the standard fields for each of the five log types that are forwarded to an external server. view of select metrics and aggregated metrics can be viewed by navigating to the Dashboard PAN-OS Log Message Field Descriptions Available on all models except the PA-4000 Series, Number of total packets (transmit and receive) for the session, URL category associated with the session (if applicable). Create Threat Exceptions - Palo Alto Networks Review the correlated log entries in the lower panel to identify which threat prevention feature enacted a block. Although the traffic was blocked, there is no entry for this inside of the threat logs. Time the log was generated on the dataplane, If Source NAT performed, the post-NAT Source IP address, If Destination NAT performed, the post-NAT Destination IP address, Name of the rule that the session matched, Username of the user who initiated the session, Username of the user to which the session was destined, Virtual System associated with the session, Interface that the session was sourced form, Interface that the session was destined to, Log Forwarding Profile that was applied to the session, An internal numerical identifier applied to each session, Number of sessions with same Source IP, Destination IP, Application, and Subtype seen within 5 seconds; used for ICMP only, 32-bit field that provides details on session; this field can be decoded by AND-ing the values with the logged value: 0x80000000 session has a packet capture (PCAP) 0x02000000 IPv6 session 0x01000000 SSL session was decrypted (SSL Proxy) 0x00800000 session was denied via URL filtering 0x00400000 session has a NAT translation performed (NAT) 0x00200000 user information for the session was captured via the captive portal (Captive Portal) 0x00080000 X-Forwarded-For value from a proxy is in the source user field 0x00040000 log corresponds to a transaction within a http proxy session (Proxy Transaction) 0x00008000 session is a container page access (Container Page) 0x00002000 session has a temporary match on a rule for implicit application dependency handling.