Skip to content

Palo Alto Networks (PANW)

AQtive Guard seamlessly integrates with Palo Alto Networks Next-Generation Firewalls (NGFW) by ingesting and analyzing TLS handshake data directly from NGFW traffic log files. By integrating these logs, AQtive Guard provides a centralized platform for analyzing potential cryptographic risks and anomalies within your network traffic.

Prerequisites

  • A Palo Alto NGFW running PAN-OS version 10.x, 11.x or 12.x.
  • A valid Comma-Separated Values (CSV) traffic log file exported from a Palo Alto NGFW.

Export a decryption log file

To export a decryption log file from a Palo Alto Networks NGFW:

  1. Select Monitor in the main navigation bar.
  2. Under Logs in the sidebar on the left, select Decryption.
  3. Add any filters to the filter field.
  4. Select Export to CSV, then Download file.

Tip

Use a filter to set a smaller date range or reduce the Max Rows in CSV Export if your exported log file does not include the complete results expected.

Required headers

The exported CSV requires the following headers to be uploaded to AQtive Guard:

  • cert_serial
  • fingerprint
  • notbefore
  • notafter
  • Hash Algorithm
  • Subject Common Name
  • Issuer Subject Common Name
  • Root Subject Common Name
  • tls_version
  • Source address
  • Destination address
  • Source Port
  • Destination Port
  • IP Protocol
  • High Res Timestamp

Caution

The headers are case-sensitive and must match exactly for a successful upload.

Optional headers

The following headers are optional:

  • Client Session Resumption
  • Client TLS Cipher Suite
  • Client TLS Elliptic Curve
  • Client TLS Version
  • Server Certificate Signature Algorithm
  • Server PQC Selected Group
  • Server Session Resumption
  • Server TLS Cipher Suite

Caution

The headers are case-sensitive and must match exactly for a successful upload.

Set the date range filter

Examples of date range filters for traffic logs are:

  • All traffic for a specific date (yyyy/mm/dd) and time (hh:mm:ss).
  • All traffic received on or before the date (yyyy/mm/dd) and time (hh:mm:ss).
  • All traffic received on or after the date (yyyy/mm/dd) and time (hh:mm:ss).
  • All traffic received between the date-time range of yyyy/mm/dd hh:mm:ss and yyyy/mm/dd hh:mm:ss.

For example, to export traffic logs using the date range 08/03/2025 to 08/04/2025, add (receive_time geq '2025/08/03 00:00:00') and (receive_time leq '2025/08/04 23:59:59')to the filter field and Apply Filter.

Refer to Filter Logs in the official PANW NGFW documentation for additional details.

Reduce the number of rows to export

You can export the contents of a decryption log file to a CSV-formatted report. By default, the report contains up to 2,000 rows of log entries.

  1. Under Device and Setup, select Management.
  2. Select the Log Export and Reporting tab.
  3. Edit the number of Max Rows in CSV Export (up to 1,048,576 rows).
  4. Select OK to save your changes.

Download the log

  1. Select Export to CSV and wait for the progress bar to complete.
  2. Select Download file to save the log to your local folder.

Upload a Palo Alto Networks log file

To upload the log file in AQtive guard, follow these steps:

  1. Navigate to Data Sources from the main menu, then select Palo Alto Networks.
  2. To upload the CSV file, either:
    • Click in the target area and select the file from your local system.
    • Drag and drop the file into the target upload area.
  3. The data will begin uploading automatically.