--- title: Palo Alto Networks fields description: Module for Palo Alto Networks (PAN-OS) Fields from the panw module. Fields for the Palo Alto Networks PAN-OS logs. Fields to extend the top-level source... url: https://www.elastic.co/elastic/docs-builder/docs/3028/reference/beats/filebeat/exported-fields-panw products: - Beats - Filebeat applies_to: - Elastic Cloud Serverless: Generally available - Elastic Stack: Generally available --- # Palo Alto Networks fields Module for Palo Alto Networks (PAN-OS) ## panw Fields from the panw module. ## panos Fields for the Palo Alto Networks PAN-OS logs. Name of the rule that matched this session. type: keyword ## source Fields to extend the top-level source object. Source zone for this session. type: keyword Source interface for this session. type: keyword ## nat Post-NAT source address, if source NAT is performed. Post-NAT source IP. type: ip Post-NAT source port. type: long ## destination Fields to extend the top-level destination object. Destination zone for this session. type: keyword Destination interface for this session. type: keyword ## nat Post-NAT destination address, if destination NAT is performed. Post-NAT destination IP. type: ip Post-NAT destination port. type: long The reason a session terminated. type: keyword ## network Fields to extend the top-level network object. Packet capture ID for a threat. type: keyword Community ID flow-hash for the NAT 5-tuple. type: keyword ## file Fields to extend the top-level file object. Binary hash for a threat file sent to be analyzed by the WildFire service. type: keyword ## url Fields to extend the top-level url object. For threat URLs, it's the URL category. For WildFire, the verdict on the file and is either 'malicious', 'grayware', or 'benign'. type: keyword Internal numeric identifier for each session. type: keyword Log entry identifier that is incremented sequentially. Unique for each log type. type: long URL or file name for a threat. type: keyword Palo Alto Networks identifier for the threat. type: keyword Palo Alto Networks name for the threat. type: keyword Action taken for the session. type: keyword Specifies the type of the log Specifies the sub type of the log Virtual system instance type: keyword The client device’s OS version. type: keyword The client device’s OS version. type: keyword The client’s GlobalProtect app version. type: keyword A string showing the stage of the connection type: keyword example: before-login A bit field indicating if the log was forwarded to Panorama. type: keyword A string showing that error that has occurred in any event. type: keyword An integer associated with any errors that occurred. type: integer The number of sessions with the same source IP address, destination IP address, application, and subtype that GlobalProtect has detected within the last five seconds.An integer associated with any errors that occurred. type: integer The serial number of the user’s machine or device. type: keyword A string showing the authentication type type: keyword example: LDAP Source from which mapping information is collected. type: keyword Mechanism used to identify the IP/User mappings within a data source. type: keyword User-ID source that sends the IP (Port)-User Mapping. type: keyword Indicates the use of primary authentication (1) or additional factors (2, 3). type: integer Vendor used to authenticate a user when Multi Factor authentication is present. type: keyword Time the authentication was completed. type: date Displays whether the user group that was found during user group mapping. Supported values are: User Group Found—Indicates whether the user could be mapped to a group. Duplicate User—Indicates whether duplicate users were found in a user group. Displays N/A if no user group is found. type: keyword ## device_group_hierarchy A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. type: keyword A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. type: keyword A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. type: keyword A sequence of identification numbers that indicate the device group’s location within a device group hierarchy. The firewall (or virtual system) generating the log includes the identification number of each ancestor in its device group hierarchy. The shared device group (level 0) is not included in this structure. If the log values are 12, 34, 45, 0, it means that the log was generated by a firewall (or virtual system) that belongs to device group 45, and its ancestors are 34, and 12. type: keyword Timeout after which the IP/User Mappings are cleared. type: integer A unique identifier for a virtual system on a Palo Alto Networks firewall. type: keyword The name of the virtual system associated with the session; only valid on firewalls enabled for multiple virtual systems. type: keyword Additional information for any event that has occurred. type: keyword The type of tunnel (either SSLVPN or IPSec). type: keyword A string showing the how the GlobalProtect app connects to Gateway type: keyword Name of the HIP object or profile. type: keyword Whether the hip field represents a HIP object or a HIP profile. type: keyword The priority order of the gateway that is based on highest (1), high (2), medium (3), low (4), or lowest (5) to which the GlobalProtect app can connect. type: keyword The SSL response time of the selected gateway that is measured in milliseconds on the endpoint during tunnel setup. type: keyword The fields that are collected for each gateway connection attempt with the gateway name, SSL response time, and priority type: keyword The name of the gateway that is specified on the portal configuration. type: keyword The connection method that is selected to connect to the gateway. type: keyword