PaloAlto SDWAN ION

Download PDF

Rules, dashboards, and triggers for Palo Alto Prisma SD-WAN ION device events

Overview

Palo Alto Prisma SD-WAN ION devices are edge appliances that provide software-defined wide area networking capabilities. ION devices generate syslog messages for authentication events, privilege escalation, VPN link alerts, system/hardware status, and network flow logs.

The Prisma SD-WAN ION app parses these logs, extracts metadata into user tags, and applies MITRE ATT&CK mappings for security-relevant events.

App Function

  • Detects and auto-classifies all ION log types: Event/Auth, Alert, and Flow logs.
  • Parses key/value pairs from event and alert logs into user tags for fast filtering.
  • Parses CSV-formatted flow logs for network traffic visibility.
  • Extracts high-value security fields: User, SrcIP, DstIP, Action for SOC analysis.
  • Applies MITRE ATT&CK technique mappings (T1548, T1110, T1078, T1071).
  • Automatically converts numeric ports to friendly service names (e.g., 53domain).
  • Ships with an overview dashboard plus triggers for VPN failures, hardware issues, and authentication failures.

Vendor Documentation

LogZilla Configuration

The Prisma SD-WAN ION app requires a dedicated syslog port for ION events.

  1. Navigate to Settings > System > Application Ports
  2. Set Prisma SD-WAN ION syslog port to a dedicated port (e.g., 5519)
  3. Click Save

The syslog and parser services reload automatically. Both TCP and UDP listeners are enabled on the configured port.

LogZilla Cloud: the Application Ports page is not available on the cloud platform, where devices reach LogZilla through a relay rather than a direct syslog listener. To enable parsing there, tag Prisma SD-WAN ION events at the relay with _source_type=paloalto_sdwan_ion. See Application Ports on LogZilla Cloud.

Device Configuration

ION devices send syslog in RFC 5424 format only. Configure syslog export via the Prisma SD-WAN web interface.

Configure Syslog Profile

  1. Log into the Prisma SD-WAN Controller (Strata Cloud Manager)
  2. Navigate to Configuration > Prisma SD-WAN > Profiles and Templates > Syslog
  3. Click Create Syslog Profile
  4. Configure the following settings:
    • Name: Enter a profile name (e.g., LogZilla-Export)
    • Enable Flow Logging: Enable to capture network traffic flows
    • Severity Level: Select Minor to capture all events
    • Protocol: Select UDP, TCP, or TLS
    • Server IP: Enter the LogZilla server IP address
    • Server Port: 5519 (dedicated ION port configured above)
  5. Click Save
  6. Assign the Syslog Profile to ION devices via device configuration

For detailed instructions, see the Prisma SD-WAN Syslog Profile Configuration documentation.

TLS Configuration Notes

  • Self-signed certificates are not supported for TLS connections
  • Server FQDN must match the Subject Alternate Name (SAN) in the certificate
  • Only TLS 1.2 is supported

Log Source Details

ItemValue
VendorPalo Alto Networks
Device TypeSD-WAN Edge Appliance
Collection MethodSyslog (TCP/UDP/TLS)
Configurable Log Output?Yes
Log Source TypeKey-Value pairs and CSV

Incoming Log Formats

ION devices send three message types in RFC 5424 format:

Event/Auth Logs

Space-separated key/value pairs with double-quoted values:

text
ION_HOST="hostname" DEVICE_TIME="timestamp" MSG="message content"
SEVERITY="minor|major|critical" PROCESS_NAME="sudo|sshd|charon"
FACILITY="authpriv|auth|daemon" [USER="username"] ELEMENT_ID="id"

Alert Logs

Alert events with CODE field indicating the alert type:

text
ION_HOST="hostname" DEVICE_TIME="timestamp" STATUS="cleared|Not clear"
CODE="NETWORK_VPNLINK_DOWN" Severity="major" [REASON="reason_code"]
[VPN_LINK_ID="id"] ELEMENT_ID="id"

Flow Logs (CSV)

CSV format with program cgxFlowLogV1:

text
timestamp,srcip,srcport,dstip,dstport,protocol,,,bytes_in,bytes_out,
packets_in,packets_out,,wan_interface,flow_id,app,flow_type,rule:action:code

Legacy Format

Older ION devices (pre-Palo Alto acquisition) use CLOUDGENIX_HOST instead of ION_HOST. Both formats are supported.

Parsed Metadata Fields

The following user tags are extracted from ION log messages.

Common Fields (All Log Types)

Tag NameExampleDescription
VendorPalo AltoVendor name
ProductPrisma SD-WAN IONProduct name
ION HostUS-DA7-SDW-102ION device hostname
Event ClassAuthEvent classification
Event TypeSessionEvent type
ActiondenyAction taken

Event/Auth Log Fields

Tag NameExampleDescription
ION ProcesssudoProcess name
UseradminUsername
SrcIP192.168.1.100Source IP address
Auth SuccesstrueWhether authentication succeeded

Alert Log Fields

Tag NameExampleDescription
ION Alert CodeNETWORK_VPNLINK_DOWNAlert code
ION Alert StatusclearedAlert status
ION Alert ReasonNETWORK_VPNBFD_DOWNAlert reason

Flow Log Fields

Tag NameExampleDescription
SrcIP10.2.53.102Source IP address
DstIP10.2.13.100Destination IP address
DstPorthttpDestination port (service name)
ProtocoltcpNetwork protocol
ION WAN InterfaceLondonPriWI1WAN interface
Applicationenterprise-httpApplication name
ION Flow TypeNew FlowFlow event type
ION RuleAllow-AllPolicy rule name

MITRE ATT&CK Tags

Tag NameExampleDescription
MitreIdT1110MITRE ATT&CK technique ID
MITRE TacticCredential AccessMITRE ATT&CK tactic

MITRE mappings applied:

  • T1548 (Privilege Escalation) - sudo commands
  • T1110 (Brute Force) - SSH authentication failures
  • T1078 (Valid Accounts) - SSH authentication success
  • T1071 (Application Layer Protocol) - denied flow traffic

Alert Codes

ION devices generate alerts with the following CODE prefixes:

PrefixCategoryExamples
NETWORK_VPN*VPN/TunnelVPNLINK_DOWN, VPNBFD_DOWN, VPNPEER_UNAVAILABLE
NETWORK_DIRECT*ConnectivityDIRECTINTERNET_DOWN, DIRECTPRIVATE_DOWN
DEVICEHW_*HardwareINTERFACE_DOWN, POWER_FAILURE, DISK_FAILURE
DEVICESW_*SoftwarePROCESSRESTART, CPU_HIGH, DATABASE_CORRUPT
SPOKEHA_*HAFAILOVER

Log Examples

Sudo Command

text
ION_HOST="US-DA7-SDW-102" DEVICE_TIME="2025-11-19T17:47:39.610Z"
MSG="pam-all:root : PWD=/ ; USER=root ; COMMAND=/usr/bin/fp-cpu-usage --json"
SEVERITY="minor" PROCESS_NAME="sudo" FACILITY="authpriv"
ELEMENT_ID="1706032838379022596"

SSH Authentication Failure

text
ION_HOST="NZ-AUK-4342-01" DEVICE_TIME="2025-11-19T17:47:39.135Z"
MSG="pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0
tty=ssh ruser= rhost=192.168.1.100 user=admin"
SEVERITY="minor" PROCESS_NAME="sshd" FACILITY="authpriv"
ELEMENT_ID="17249535962630020"

VPN Link Down Alert

text
ION_HOST="US-CH3-SDW-203" DEVICE_TIME="2025-11-19T17:47:44.121Z"
STATUS="Not clear" CODE="NETWORK_VPNLINK_DOWN" Severity="major"
VPN_LINK_ID="1742910199997015396" AL_ID="1742909979692020596"
REASON="NETWORK_VPNBFD_DOWN" IDENTIFIER="1742910199995015196"
ELEMENT_ID="1697819626867008996"

VPN Link Restored

text
ION_HOST="US-DA7-SDW-202" DEVICE_TIME="2025-11-19T17:47:50.390Z"
STATUS="cleared" CODE="NETWORK_VPNLINK_DOWN" Severity="major"
VPN_LINK_ID="1742910199080011596" AL_ID="1742909979973021796"
REASON="NETWORK_VPNBFD_DOWN" IDENTIFIER="1742910199053011396"
ELEMENT_ID="1706032829676008596"

Flow Log (Allowed)

text
2020-01-28T23:46:17,10.2.53.102,52520,10.2.13.100,80,tcp,,,0,0,0,0,,
LondonPriWI1,15796434157670062,enterprise-http,New Flow,Allow-All:allow:1

Flow Log (Denied)

text
2020-01-28T23:50:00,192.168.1.50,44123,8.8.8.8,53,udp,,,0,0,0,0,,WAN1,
15796434157670099,dns,New Flow,Block-DNS:deny:2

Triggers

TriggerDescription
Palo Alto ION: MITRE ATT&CK Threat DetectedCatch-all for MITRE-mapped events
Palo Alto ION: SSH Authentication FailureSSH auth failure (actionable)
Palo Alto ION: Privilege EscalationSudo command execution
Palo Alto ION: VPN Alert ActiveVPN link failure (actionable, notify)
Palo Alto ION: VPN Alert ClearedVPN link recovered
Palo Alto ION: Network AlertDirect internet/private WAN down
Palo Alto ION: Hardware AlertHardware failure (actionable, notify)
Palo Alto ION: Software AlertSoftware issue (actionable)
Palo Alto ION: HA FailoverHA failover event (actionable, notify)
Palo Alto ION: IKE/IPsec EventIKE tunnel events
Palo Alto ION: Flow DeniedBlocked network traffic
PaloAlto SDWAN ION | LogZilla Documentation