Filters in the Palo Alto GUI (Monitor tab) use a SQL-like syntax with field names, operators, and values.
Basic Structure
(field operator 'value')
Operators
Operator
Description
Example
eq
Equals
(action eq allow)
neq
Not equals
(action neq deny)
in
Contains / IP match
(addr.src in '10.1.1.0/24')
notin
Does not contain
(addr.dst notin '192.168.1.0/24')
geq
Greater than or equal
(time_generated geq '2024/01/26 09:00:00')
leq
Less than or equal
(time_generated leq '2024/01/26 10:00:00')
Logical Operators
Operator
Description
and
Both conditions must be true
or
Either condition must be true
( )
Grouping for complex logic
Common Field Names
Address Fields
Field
Description
addr.src
Source IP address
addr.dst
Destination IP address
zone.src
Source zone
zone.dst
Destination zone
port.src
Source port
port.dst
Destination port
Traffic Fields
Field
Description
app
Application name
rule
Security rule name
action
allow, deny, drop, reset
session_end_reason
Session end reason
protocol
Protocol (tcp, udp, icmp)
User / Device Fields
Field
Description
user.src
Source username
device_name
Firewall hostname
vsys
Virtual system
Threat Fields (Threat Logs)
Field
Description
threat_id
Threat ID number
severity
critical, high, medium, low, informational
threat_category
Category of threat
url
URL (for URL filtering logs)
Time Fields
Field
Description
time_generated
When log was generated
receive_time
When log was received
Filter Examples
By Source IP and Time Range
(addr.src in '10.180.25.251') and (time_generated geq '2024/01/26 09:45:00') and (time_generated leq '2024/01/26 09:51:00')
By Destination IP and Time Range
(addr.dst in '10.178.251.242') and (time_generated geq '2024/01/25 07:59:00') and (time_generated leq '2024/01/25 08:01:00')
Multiple Conditions with OR
(addr.src in '10.178.251.242')
and (time_generated geq '2024/01/18 09:53:00')
and (time_generated leq '2024/01/18 09:58:00')
and (( addr.dst in '34.71.212.212' ) or ( addr.dst in '144.161.106.173' ))
Traffic To/From Multiple Subnets
(( addr.src in '172.16.13.0/24' ) or ( addr.src in '172.16.23.0/24' ) or ( addr.src in '172.16.33.0/24' ) or ( addr.dst in '172.16.13.0/24' ) or ( addr.dst in '172.16.23.0/24' ) or ( addr.dst in '172.16.33.0/24' ))
By Application
(app eq web-browsing) and (action eq allow)
By Rule Name
(rule eq 'Allow-Internet-Access') and (time_generated geq '2024/01/26 00:00:00')
By Zone
(zone.src eq trust) and (zone.dst eq untrust)
Denied Traffic
(action eq deny) and (addr.src in '10.0.0.0/8')
High Severity Threats
(severity eq critical) or (severity eq high)
URL Filtering - Specific Category
(threat_category eq malware)
Exclude Internal Traffic
(addr.dst notin '10.0.0.0/8') and (addr.dst notin '172.16.0.0/12') and (addr.dst notin '192.168.0.0/16')
Tips
Time format: 'YYYY/MM/DD HH:MM:SS' (24-hour format, in firewall’s timezone)
IP addresses: Can be single IP or CIDR notation in quotes
Spaces: Values with spaces must be quoted
Case sensitive: Field names are lowercase; values may be case-sensitive
Wildcards: Use * for wildcards in some string fields
Performance: Add time constraints to improve query performance