Palo Alto AI Session Logging Guide

This guide covers two things:

1. How to capture Palo Alto Networks session logs with enough detail to convert them into IPFIX biflow-style session rows.

2. How to make AI-related sessions easier to isolate on NGFW, Panorama-managed environments, Prisma Access, and AI Runtime Security deployments.

What the converter expects

The companion script, palo_alto_ai_to_ipfix.py, maps Palo Alto traffic log fields into these IPFIX-style biflow columns:

• `flowStartMilliseconds` from `session_start_time`
• `flowEndMilliseconds` from `time_generated_high_res` or `time_generated`
• `sourceIPv4Address` from `source_ip`
• `destinationIPv4Address` from `dest_ip`
• `sourceTransportPort` from `source_port`
• `destinationTransportPort` from `dest_port`
• `protocolIdentifier` from `protocol`
• `packetDeltaCount` from `packets_sent`
• `octetDeltaCount` from `bytes_sent`
• `reversePacketDeltaCount` from `packets_received`
• `reverseOctetDeltaCount` from `bytes_received`

The Palo Alto traffic log reference documents these field meanings, including `bytes_sent`, `bytes_received`, `packets_sent`, `packets_received`, `session_start_time`, and `total_time_elapsed`.

Sources:

• [Traffic log field reference](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log)
• [Traffic syslog default field order](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log/network-traffic-syslog-fields)
• [Traffic HTTPS field names](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log/network-traffic-https-fields)

Recommended capture model

For AI session observability, the cleanest path is:

1. Enable Traffic logging on the security rules that permit outbound SaaS and AI traffic.

2. Forward those Traffic logs to Strata Logging Service, Panorama, syslog, or HTTPS.

3. If you use SaaS Security Inline or AI Runtime Security, enable the product-specific features that enrich AI visibility.

4. Export the resulting Traffic logs as CSV, JSON, or JSONL and feed them to the converter.

NGFW and Panorama-managed firewall steps

1. Enable Traffic logging on the relevant security rules

On the rule that allows AI application traffic:

1. Open the Security policy rule.

2. Under `Actions`, select the Log Forwarding profile.

3. For Traffic logs, enable `Log At Session End`.

4. Enable `Log At Session Start` only when you explicitly need early visibility into short-lived or long-lived sessions and accept the extra log volume.

Palo Alto explicitly notes that `Log At Session Start` consumes more resources than logging only at session end, and recommends both start and end logging mainly for troubleshooting and long-lived sessions. Palo Alto also notes that very short-lived sessions may require session-start logging to be visible.

Sources:

• [Configure Log Forwarding (PAN-OS)](https://docs.paloaltonetworks.com/ngfw/administration/monitoring/configure-log-forwarding/configure-log-forwarding-pan-os)
• [Session Logging Considerations](https://docs.paloaltonetworks.com/network-security/security-policy/administration/security-rules/session-logging-considerations)

2. Forward logs to a place you can export from

You have three practical collection options:

• Strata Logging Service using HTTPS or cloud logging
• Panorama or firewall local logs, then export
• Syslog forwarding in the Palo Alto Traffic syslog default field order

If you want SaaS Security Inline features to work properly, Palo Alto says Traffic and URL logs must be forwarded to Strata Logging Service at minimum.

Source:

• [SaaS App-ID Policy Recommendation](https://docs.paloaltonetworks.com/ngfw/administration/app-id/saas-policy-recommendation)

3. Prefer the following fields in your export

Make sure your exported log stream contains at least:

• `log_type` and `sub_type`
• `session_id`
• `source_ip` and `dest_ip`
• `source_port` and `dest_port`
• `protocol`
• `bytes_sent` and `bytes_received`
• `packets_sent` and `packets_received`
• `session_start_time`
• `time_generated` or `time_generated_high_res`
• `total_time_elapsed`
• `app`
• `rule_matched`
• `source_user`
• `url_category`

If present, also keep:

• `ai_traffic`
• `ai_fwd_error`
• `app_category`
• `app_sub_category`

Those fields improve AI-session identification.

AI-specific visibility on Palo Alto platforms

SaaS Security Inline and ACE

If your environment uses SaaS Security Inline, Palo Alto documents that:

• A valid `SaaS Security Inline` license is required.
• The firewall must forward logs to Strata Logging Service for SaaS visibility.
• At minimum, `Traffic` and `URL` logs must be forwarded.

On PAN-OS 11.2, `Device > Setup > ACE` includes additional options that increase what PAN-OS logs to Strata Logging Service:

• `Enable Additional HTTP Header Logging`
• `Enable Session Tracking`

Palo Alto says session tracking was introduced in PAN-OS 11.2.5 and logs additional user and tenant information to Strata Logging Service, improving user-account-level granularity for a subset of supported SaaS applications.

Sources:

• [Device > Setup > ACE](https://docs.paloaltonetworks.com/pan-os/11-2/pan-os-web-interface-help/device/device-setup-ace)
• [SaaS App-ID Policy Recommendation](https://docs.paloaltonetworks.com/ngfw/administration/app-id/saas-policy-recommendation)

AI traffic flag in traffic logs

The Traffic HTTPS field reference includes:

• `AITraffic` mapped to query name `ai_traffic`
• `AIFwdError` mapped to query name `ai_fwd_error`

If your exported traffic logs include those fields, use them as the highest-confidence signal that the session is AI-related. The converter does that first, before falling back to application-name heuristics.

Source:

• [Traffic HTTPS Fields](https://docs.paloaltonetworks.com/strata-logging-service/log-reference/network-logs/network-traffic-log/network-traffic-https-fields)

AI Runtime Security

If you use Prisma AIRS AI Runtime Security:

1. Create an `AI Security Profile`.

2. Attach it to the security policy rule that covers traffic between AI applications and AI model endpoints.

3. If you need protection for custom model endpoints, enable `Custom Model Support` and make sure the destination scope of the policy includes those endpoints.

Palo Alto states that AI security logs are generated when threats are detected, and recommends `Firewall/AI Security` logs when using Strata Logging Service. These logs are complementary to Traffic logs. They are not a replacement for Traffic logs if you want biflow/session volume analytics, because AI Security logs are threat-centric rather than per-session byte and packet counters.

Sources:

• [Create an AI Security Profile](https://docs.paloaltonetworks.com/ai-runtime-security/administration/prevent-network-security-threats/create-ai-security-profile)
• [Monitor: Threat Logs and AI Security Logs](https://docs.paloaltonetworks.com/ai-runtime-security/administration/detect-and-alert-on-malicious-traffic)

Other Palo Alto-managed appliances and services

Prisma Access

Prisma Access is covered by the same SaaS visibility pattern as NGFW for this use case:

• Enable Traffic logging on the rules that allow outbound AI/SaaS traffic.
• Forward Traffic and URL logs to Strata Logging Service.
• If licensed, use ACE and SaaS Security Inline capabilities to improve application identification.

Palo Alto’s SaaS App-ID Policy Recommendation documentation explicitly lists both `Prisma Access` and `Next-Generation Firewall` as supported environments.

Source:

• [SaaS App-ID Policy Recommendation](https://docs.paloaltonetworks.com/ngfw/administration/app-id/saas-policy-recommendation)

Panorama

Panorama is the right control point for:

• Pushing log forwarding profiles and security policy logging settings
• Managing AI Security Profiles for Panorama-managed AI Runtime deployments
• Exporting or viewing Threat logs when Strata Logging Service is not in use

For AI Runtime Security, Palo Alto says Panorama deployments without Strata Logging Service should use `Threat` logs with subtype `ai-security`. With Strata Logging Service, use `AI Security` logs for richer AI-specific details.

Source:

• [Monitor: Threat Logs and AI Security Logs](https://docs.paloaltonetworks.com/ai-runtime-security/administration/detect-and-alert-on-malicious-traffic)

Practical rule design for AI session capture

To keep data volume reasonable while still capturing AI sessions:

1. Create dedicated allow rules for sanctioned AI apps or AI destination groups where possible.

2. Enable `Log At Session End` on those dedicated rules.

3. Add `Log At Session Start` only on the subset where you care about short-lived prompts, frequent API calls, or long-lived sessions.

4. Forward those logs through a dedicated Log Forwarding profile so they are easy to export.

5. If possible, separate generic web traffic from AI/SaaS traffic in policy so your session dataset is cleaner.

Running the converter

Example with exported CSV:

python .\palo_alto_ai_to_ipfix.py .\traffic_export.csv

Example with exported JSON and extra keywords:

python .\palo_alto_ai_to_ipfix.py .\traffic_export.json --keyword "azure-openai" --keyword "vertex-ai"

Example to keep every traffic session, not just AI sessions:

python .\palo_alto_ai_to_ipfix.py .\traffic_export.csv --include-non-ai

Important limitations

• Traffic logs produce the best session-to-biflow mapping. AI Security logs are useful enrichment but not sufficient alone for byte and packet biflow records.
• `Log At Session Start` can materially increase log volume and resource usage.
• Some short-lived sessions may be missed without session-start logging.
• AI-session identification is strongest when `ai_traffic` is present. If your export does not include that field, the converter falls back to application and category heuristics.
• If the firewall is not forwarding logs successfully, Palo Alto notes that logs can be silently dropped.