Palo Alto firewall filter generator

Form-driven PAN-OS filter generator. Build log filter expressions for Monitor → Logs (Traffic / Threat / URL / WildFire / System), CLI session lookups (show session all filter …), and packet-capture command sequences (debug dataplane packet-diag …). Browser-only. Tested against PAN-OS 10.x and 11.x syntax.

⚠ Disclaimer This tool is provided as-is, for educational and planning purposes only. Generated filters and debug commands should only be used on firewalls you are authorised to operate. debug dataplane packet-diag can impact dataplane performance — never enable in production without change control and a clear off-procedure. The Tech Space makes no warranty and accepts no liability. Full disclaimer →

Filter preset

Traffic log filter

Build a Monitor → Logs → Traffic filter expression.

Category: Log filter Output: Filter expression

Inputs

Generated output Updated just now

PAN-OS filter

Notes & tips

PAN-OS filter reference

Operators (log filter)

eq — equal
neq — not equal
lt / leq — less than / ≤ (numeric)
gt / geq — greater than / ≥
in / notin — in subnet (IP fields) or in list
contains / notcontains — substring match
and, or — boolean combinators (parens around each clause)

Common Traffic fields

addr.src / addr.dst IPs, accept CIDR with in
port.src / port.dst numeric, 1–65535
zone.src / zone.dst zone names
app App-ID (e.g. web-browsing)
proto e.g. tcp, udp, icmp
action see actions list
rule security policy name (quote if has spaces)
user.src User-ID identified user
bytes / packets numeric, useful for geq
srcloc / dstloc country codes (ISO 3166-1)

Threat / URL fields

severity informational / low / medium / high / critical
subtype vulnerability, virus, spyware, url, file, data, wildfire-virus, wildfire-spyware
category URL category (e.g. social-networking) or threat category
direction client-to-server / server-to-client
threat threat name (signature)
threatid numeric threat ID
misc URL hit (URL filtering logs)

Action values

allow — permitted by policy
deny — denied by policy (no reset)
drop — silently dropped (no reset)
reset-client / reset-server / reset-both — TCP RST sent
drop-icmp / drop-icmp-all
block-url — URL filtering block
block-continue / block-override — URL response page actions

CLI session filter (show session)

source <ip> / destination <ip>
source-port <n> / destination-port <n>
protocol <n> 6=TCP, 17=UDP, 1=ICMP
application <app>
state <active|closing|discard|init>
type <flow|predict|predict-discard>
from <zone> / to <zone>
rule <name> / nat-rule <name>
count yes return matching session count instead of detail

Packet capture stages

receive ingress (before security checks)
transmit egress (after security checks)
firewall forwarded between zones
drop dropped by firewall

PCAP files saved to /var/log/pan/pcap/. View with view-pcap follow no filter-pcap <file> or export via Web UI: Monitor → Packet Capture.

Important — PCAP impact debug dataplane packet-diag incurs dataplane overhead. Always set a tight filter before enabling capture, never capture in production without change control, and always run the off-procedure (set capture off → set filter off → clear all) when done. Forgetting to disable can degrade throughput indefinitely.