Palo Alto Panorama Traffic
Collect traffic logs from your Palo Alto Panorama. Panorama forwards logs to an Amazon S3 bucket and RunReveal ingests them from object storage. This source is not an API-polling integration, so there is no Palo Alto API endpoint or GovCloud API URL to configure — government and regulated deployments are handled at the storage and AWS account layer instead.
Prerequisites
Before connecting Palo Alto Panorama Traffic to RunReveal, you need:
- A Palo Alto Panorama deployment configured to forward traffic logs to an Amazon S3 bucket.
- An AWS account with an S3 bucket to receive the logs, and permission to configure bucket event notifications.
Access
This source does not use Palo Alto API credentials. RunReveal reads logs from your S3 bucket using the object-storage ingest you configure:
- Configure Panorama log forwarding to write traffic logs into your S3 bucket.
- Grant RunReveal access to the bucket via the AWS S3 Bucket or AWS S3 Bucket with Custom SQS ingest method.
Infrastructure
RunReveal offers the following ways to ingest Palo Alto Panorama Traffic logs:
If using an AWS S3 bucket use the following SNS topic ARN to send your bucket notifications.
Replace <REGION> with the AWS region where your S3 bucket is located (e.g., us-east-1, us-west-2, eu-west-1).
SNS topic & Custom SQS. Use the ARN above in your event notification tied to your S3 bucket—the topic name must match (runreveal_…; hyphens in the source id become underscores). For Custom SQS, set the queue URL and region in RunReveal; see AWS S3 Bucket with Custom SQS.
Note: BYOC, On-Prem, and BYODB customers must use their AWS account ID in the ARN instead of 253602268883. AWS GovCloud buckets (regions us-gov-west-1 and us-gov-east-1) use the aws-us-gov ARN partition — for example arn:aws-us-gov:sns:us-gov-west-1:<ACCOUNT_ID>:runreveal_palo_panorama_traffic.
Setup
- In Panorama, configure a log forwarding profile that writes traffic logs to your Amazon S3 bucket.
- In AWS, add an event notification on the bucket using the SNS topic ARN from Infrastructure (matching your bucket's region).
- In RunReveal, add the Palo Alto Panorama Traffic source and choose your ingest method — AWS S3 Bucket or AWS S3 Bucket with Custom SQS.
- Save the source. Logs begin flowing once Panorama delivers objects to the bucket and notifications reach RunReveal.
Schema
The following columns are exposed for this source. RunReveal applies schema normalization across all sources, ensuring uniform field names and data types for cross-source queries and reusable detection logic.
Table: panorama_traffic_logs (78 columns)
panorama_traffic_logs (78 columns)| Column | Type |
|---|---|
workspaceID | String |
sourceID | String |
sourceType | LowCardinality(String) |
sourceTTL | UInt32 |
receivedAt | DateTime |
id | String |
eventTime | DateTime |
eventName | String |
eventID | String |
srcIP | String |
srcASCountryCode | String |
srcASNumber | UInt32 |
srcASOrganization | String |
srcCity | String |
srcConnectionType | String |
srcISP | String |
srcLatitude | Float64 |
srcLongitude | Float64 |
srcUserType | String |
dstIP | String |
dstASCountryCode | String |
dstASNumber | UInt32 |
dstASOrganization | String |
dstCity | String |
dstConnectionType | String |
dstISP | String |
dstLatitude | Float64 |
dstLongitude | Float64 |
dstUserType | String |
actor | Map(String, String) |
tags | Map(String, String) |
resources | Array(String) |
serviceName | String |
readOnly | Bool |
rawLog | String |
ReceiveTime | DateTime |
SerialNumber | String |
LogType | String |
Subtype | String |
| Column | Type |
|---|---|
TimeGenerated | DateTime |
SrcAddr | String |
DstAddr | String |
NatSrcAddr | String |
NatDstAddr | String |
RuleName | String |
SrcUser | String |
DstUser | String |
App | String |
Vsys | String |
From | String |
To | String |
InboundIf | String |
OutboundIf | String |
LogSet | String |
SessionID | UInt32 |
RepeatCnt | UInt32 |
SrcPort | UInt32 |
DstPort | UInt32 |
NatSrcPort | UInt32 |
NatDstPort | UInt32 |
Flags | String |
Proto | String |
Action | String |
Bytes | UInt32 |
BytesSent | UInt32 |
BytesReceived | UInt32 |
Packets | UInt32 |
StartTime | DateTime |
ElapsedTime | UInt32 |
Category | String |
SeqNo | UInt32 |
ActionFlags | String |
SrcLoc | String |
DstLoc | String |
PktsSent | UInt32 |
PktsReceived | UInt32 |
SessionEndReason | String |
DeviceName | String |
Helpful Links
- AWS S3 Bucket ingest — Set up object-storage ingest with a RunReveal-managed SNS topic
- AWS S3 Bucket with Custom SQS — Use your own SQS queue for bucket notifications
- Bring Your Own Cloud (BYOC) — Deploy RunReveal in your own AWS account