aiFWall Logo aiFObserve

Palo Alto Networks Strata log service

Palo Alto AI Session Logging Guide

Upload



Input


Output


This guide covers two things:

  1. How to capture Palo Alto Networks session logs with enough detail to convert them into IPFIX biflow-style session rows.
  2. How to make AI-related sessions easier to isolate on NGFW, Panorama-managed environments, Prisma Access, and AI Runtime Security deployments.

What the converter expects

The companion script: palo_alto_ai_to_ipfix.py

The converter maps Palo Alto traffic log fields into these IPFIX-style biflow columns:

  • flowStartMilliseconds from session_start_time
  • flowEndMilliseconds from time_generated_high_res or time_generated
  • sourceIPv4Address from source_ip
  • destinationIPv4Address from dest_ip
  • sourceTransportPort from source_port
  • destinationTransportPort from dest_port
  • protocolIdentifier from protocol
  • packetDeltaCount from packets_sent
  • octetDeltaCount from bytes_sent
  • reversePacketDeltaCount from packets_received
  • reverseOctetDeltaCount from bytes_received

Palo Alto traffic log references document fields including: bytes_sent, bytes_received, packets_sent, packets_received, session_start_time, and total_time_elapsed.

Recommended capture model

For AI session observability, the recommended approach is:

  1. Enable Traffic logging on security rules that permit outbound SaaS and AI traffic.
  2. Forward Traffic logs to Strata Logging Service, Panorama, syslog, or HTTPS.
  3. Enable SaaS Security Inline or AI Runtime Security features if available.
  4. Export Traffic logs as CSV, JSON, or JSONL and feed them to the converter.

NGFW and Panorama-managed firewall steps

1. Enable Traffic logging on the relevant security rules

On the security rule allowing AI application traffic:

  1. Open the Security policy rule.
  2. Under Actions, select the Log Forwarding profile.
  3. Enable Log At Session End for Traffic logs.
  4. Enable Log At Session Start only when early visibility is required.

Palo Alto notes that Log At Session Start increases resource usage and log volume, but may be necessary for troubleshooting or short-lived sessions.

2. Forward logs to a place you can export from

Practical collection options include:

  • Strata Logging Service
  • Panorama or local firewall logs
  • Syslog forwarding using Traffic syslog default field order

SaaS Security Inline visibility requires forwarding Traffic and URL logs to Strata Logging Service.

3. Prefer the following fields in your export

Ensure exported logs contain at least:

  • log_type and sub_type
  • session_id
  • source_ip and dest_ip
  • source_port and dest_port
  • protocol
  • bytes_sent and bytes_received
  • packets_sent and packets_received
  • session_start_time
  • time_generated or time_generated_high_res
  • total_time_elapsed
  • app
  • rule_matched
  • source_user
  • url_category

If available, also include:

  • ai_traffic
  • ai_fwd_error
  • app_category
  • app_sub_category

These fields improve AI-session identification.

AI-specific visibility on Palo Alto platforms

SaaS Security Inline and ACE

SaaS Security Inline requires:

  • A valid SaaS Security Inline license
  • Traffic and URL logs forwarded to Strata Logging Service

PAN-OS 11.2 ACE settings provide:

  • Enable Additional HTTP Header Logging
  • Enable Session Tracking

Session tracking improves user-account-level granularity for supported SaaS applications.

AI traffic flag in traffic logs

Traffic HTTPS fields include:

  • AITraffic mapped to ai_traffic
  • AIFwdError mapped to ai_fwd_error

If exported logs include these fields, they provide the highest-confidence signal that traffic is AI-related.

AI Runtime Security

For Prisma AIRS AI Runtime Security:

  1. Create an AI Security Profile.
  2. Attach it to the policy rule covering AI application traffic.
  3. Enable Custom Model Support if protecting custom model endpoints.

AI Security logs are threat-centric and complement Traffic logs but do not replace Traffic logs for biflow/session analytics.

Other Palo Alto-managed appliances and services

Prisma Access

Prisma Access follows the same SaaS visibility approach:

  • Enable Traffic logging on outbound AI/SaaS rules
  • Forward Traffic and URL logs to Strata Logging Service
  • Use ACE and SaaS Security Inline where licensed

Panorama

Panorama is used for:

  • Pushing log forwarding profiles
  • Managing AI Security Profiles
  • Viewing and exporting Threat logs

Without Strata Logging Service, Panorama deployments should use Threat logs with subtype ai-security.

Practical rule design for AI session capture

  1. Create dedicated allow rules for sanctioned AI apps or AI destination groups.
  2. Enable Log At Session End on those rules.
  3. Add Log At Session Start only where needed.
  4. Use a dedicated Log Forwarding profile.
  5. Separate generic web traffic from AI/SaaS traffic where possible.

Running the converter

Example with exported CSV:

python .\palo_alto_ai_to_ipfix.py .\traffic_export.csv

Example with exported JSON and extra keywords:

python .\palo_alto_ai_to_ipfix.py .\traffic_export.json --keyword "azure-openai" --keyword "vertex-ai"

Example to keep every traffic session:

python .\palo_alto_ai_to_ipfix.py .\traffic_export.csv --include-non-ai

Important limitations

  • Traffic logs provide the best session-to-biflow mapping.
  • Log At Session Start can significantly increase log volume.
  • Short-lived sessions may be missed without session-start logging.
  • AI-session identification is strongest when ai_traffic is present.
  • If logs are not forwarded correctly, they may be silently dropped.