Palo Alto Traffic
Palo Alto PAN-OS Traffic logs — network session lifecycle with start/end/drop/deny subtypes, zone-aware flow profiles (trust, untrust, DMZ), source NAT translation, 30 App-ID applications, and byte/packet counters with lognormal distributions.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/network-paloalto-traffic/generator.yml \
--id panw-traffic \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| end | Session ended — normal traffic termination | ~72% | network |
| start | Session started | ~14% | network |
| drop | Dropped before App-ID identification | ~7% | network |
| deny | Denied after App-ID identification | ~7% | network |
Realism Features
- 4 zone flow profiles — outbound (trust→untrust 70%), inbound DMZ (15%), internal (10%), DMZ-to-internal (5%)
- 30 PAN-OS App-IDs with weighted selection (ssl, web-browsing, dns, ms-office365, ssh, etc.)
- Lognormal byte/packet distributions — realistic right-skewed traffic volumes
- Protocol-aware session end reasons — TCP uses tcp-fin/aged-out/tcp-rst; UDP/ICMP always aged-out
- Source NAT translation only on outbound (trust→untrust) flows
- Zone-matched security rules — allow rules for permitted traffic, deny rules for blocked traffic
Sample Output
{
"@timestamp": "2026-03-06T14:30:15.123456+00:00",
"event": {
"action": "flow_terminated",
"category": ["network"],
"dataset": "panw.panos",
"duration": 45000000000,
"kind": "event",
"outcome": "success",
"type": ["connection", "end", "allowed"]
},
"source": { "ip": "10.1.1.14", "bytes": 2847, "port": 52340 },
"destination": { "ip": "203.0.113.42", "bytes": 148502, "port": 443 },
"network": {
"application": "ssl",
"bytes": 151349,
"transport": "tcp",
"direction": "outbound"
},
"panw": {
"panos": {
"action": "allow",
"sub_type": "end",
"type": "TRAFFIC",
"session_end_reason": "tcp-fin"
}
},
"observer": { "product": "PAN-OS", "vendor": "Palo Alto Networks" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | PA-3260 | PAN-OS firewall hostname |
| domain | CORP | Active Directory domain |
| serial_number | 012801096514 | Firewall serial number |
| nat_ip | 198.51.100.1 | Source NAT IP |
| agent_id | f7a3b1c2-... | Elastic Agent ID |
| agent_version | 8.17.0 | Elastic Agent version |
Related Generators
Cisco ASA Firewall
Cisco ASA adaptive security appliance syslog — TCP/UDP/ICMP connection lifecycle, ACL permit/deny decisions, NAT translations, VPN tunnel events, and failover status messages.
Check Point Security Gateway
Check Point Security Gateway SmartLog — 8 software blades including Firewall, IPS, Application Control, URL Filtering, Anti-Bot, Anti-Virus, Threat Emulation, and Identity Awareness.
Network Traffic (Continent-Level Geo)
Network traffic events enriched with continent-level geographic information. Models cross-continent and same-continent flows for both inbound and outbound directions, with realistic allow/deny outcomes based on geographic policy.