Palo Alto GUI Filter Reference

paloalto filters cheatsheet


Filter Syntax Overview

Filters in the Palo Alto GUI (Monitor tab) use a SQL-like syntax with field names, operators, and values.

Basic Structure

(field operator 'value')

Operators

OperatorDescriptionExample
eqEquals(action eq allow)
neqNot equals(action neq deny)
inContains / IP match(addr.src in '10.1.1.0/24')
notinDoes not contain(addr.dst notin '192.168.1.0/24')
geqGreater than or equal(time_generated geq '2024/01/26 09:00:00')
leqLess than or equal(time_generated leq '2024/01/26 10:00:00')

Logical Operators

OperatorDescription
andBoth conditions must be true
orEither condition must be true
( )Grouping for complex logic

Common Field Names

Address Fields

FieldDescription
addr.srcSource IP address
addr.dstDestination IP address
zone.srcSource zone
zone.dstDestination zone
port.srcSource port
port.dstDestination port

Traffic Fields

FieldDescription
appApplication name
ruleSecurity rule name
actionallow, deny, drop, reset
session_end_reasonSession end reason
protocolProtocol (tcp, udp, icmp)

User / Device Fields

FieldDescription
user.srcSource username
device_nameFirewall hostname
vsysVirtual system

Threat Fields (Threat Logs)

FieldDescription
threat_idThreat ID number
severitycritical, high, medium, low, informational
threat_categoryCategory of threat
urlURL (for URL filtering logs)

Time Fields

FieldDescription
time_generatedWhen log was generated
receive_timeWhen log was received

Filter Examples

By Source IP and Time Range

(addr.src in '10.180.25.251') and (time_generated geq '2024/01/26 09:45:00') and (time_generated leq '2024/01/26 09:51:00')

By Destination IP and Time Range

(addr.dst in '10.178.251.242') and (time_generated geq '2024/01/25 07:59:00') and (time_generated leq '2024/01/25 08:01:00')

Multiple Conditions with OR

(addr.src in '10.178.251.242')
and (time_generated geq '2024/01/18 09:53:00')
and (time_generated leq '2024/01/18 09:58:00')
and (( addr.dst in '34.71.212.212' ) or ( addr.dst in '144.161.106.173' ))

Traffic To/From Multiple Subnets

(( addr.src in '172.16.13.0/24' ) or ( addr.src in '172.16.23.0/24' ) or ( addr.src in '172.16.33.0/24' ) or ( addr.dst in '172.16.13.0/24' ) or ( addr.dst in '172.16.23.0/24' ) or ( addr.dst in '172.16.33.0/24' ))

By Application

(app eq web-browsing) and (action eq allow)

By Rule Name

(rule eq 'Allow-Internet-Access') and (time_generated geq '2024/01/26 00:00:00')

By Zone

(zone.src eq trust) and (zone.dst eq untrust)

Denied Traffic

(action eq deny) and (addr.src in '10.0.0.0/8')

High Severity Threats

(severity eq critical) or (severity eq high)

URL Filtering - Specific Category

(threat_category eq malware)

Exclude Internal Traffic

(addr.dst notin '10.0.0.0/8') and (addr.dst notin '172.16.0.0/12') and (addr.dst notin '192.168.0.0/16')

Tips

  • Time format: 'YYYY/MM/DD HH:MM:SS' (24-hour format, in firewall’s timezone)
  • IP addresses: Can be single IP or CIDR notation in quotes
  • Spaces: Values with spaces must be quoted
  • Case sensitive: Field names are lowercase; values may be case-sensitive
  • Wildcards: Use * for wildcards in some string fields
  • Performance: Add time constraints to improve query performance