https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/276182#M75343 <P>Hi James,</P><P>&nbsp;</P><P>from my point of view there is no downsite. If your ruleset is appropriate there is no reason to let the intra-/inter-zone Default rules not log events. As mentioned by other user you can have a deny/any/any rule before the default rules but this is basically only useful if you have setup policies for everything. Imagine some customer/partner wants to setup a VPN with your outside interface. As he is based within the outside zone as well as your outside interface this would normally hit the "intra-zone default rule" - which can not being hit when a deny/any/any statement is placed before.</P><P>&nbsp;</P><P>The best practice is to set logging to "at session end" and you can safely enable the logging on those rules as I do primarily assume you do not want this rule to be it but when it gets hit you want to see it in the logs.</P><P>&nbsp;</P><P>Kind regards,</P><P><BR />Rene</P> Thu, 11 Jul 2019 15:29:05 GMT Rboehme 2019-07-11T15:29:05Z https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/275607#M75288 <P>I notice that if a connection comes in and does not hit any policy correctly I do not see the deny in the logs. I think this is because the default behavior of the intrazone-default&nbsp; rule is not to log anything. Is there a down side to setting this to log events so that we can see when a connection fails? Sometimes from a troubleshooting perspective this would be helpful but I wonder if its not enabled for a reason by default. I assume because it will generate a lot of logs but was wondering what everyone else thinks before I do this.&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 09 Jul 2019 19:03:07 GMT https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/275607#M75288 dstjames 2019-07-09T19:03:07Z https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/275628#M75289 <P>Hello,</P><P>I always turn on logging so I can see traffic even if its denied. I honestly&nbsp;never use the default&nbsp;inter/intra policies and put a DENY ALL one as my last policy and only then allow the traffic I want.</P><P>&nbsp;</P><P>The down side is the logs will fill up faster and the PAN wont keep as much. But its worth that cost.</P><P>&nbsp;</P><P>Cheers!</P> Tue, 09 Jul 2019 20:02:04 GMT https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/275628#M75289 OtakarKlier 2019-07-09T20:02:04Z https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/275763#M75295 <P>I have used both intrazone and block-alll policy.</P><P>i prefer to now use the custom block-all policy and leave the intrazone stuff alone.</P><P>&nbsp;</P><P>we use panorama for our logs so this policy is not set for forwarding. It just logs locally.</P><P>&nbsp;</P><P>you can of course just enable/disable when needed for diags.</P> Wed, 10 Jul 2019 12:21:19 GMT https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/275763#M75295 Mick_Ball 2019-07-10T12:21:19Z https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/275923#M75319 <P>I have a deny all and log as the last rule post rule in Panorama. It applies to all firewalls, so the default inter-zone and intra-zone rules never get hit. More logs is the double-edged sword. If I don't want to see something, I have been known to put in a rule to block traffic and not forward it to Panorama.</P> Wed, 10 Jul 2019 20:51:50 GMT https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/275923#M75319 khsieh 2019-07-10T20:51:50Z https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/276182#M75343 <P>Hi James,</P><P>&nbsp;</P><P>from my point of view there is no downsite. If your ruleset is appropriate there is no reason to let the intra-/inter-zone Default rules not log events. As mentioned by other user you can have a deny/any/any rule before the default rules but this is basically only useful if you have setup policies for everything. Imagine some customer/partner wants to setup a VPN with your outside interface. As he is based within the outside zone as well as your outside interface this would normally hit the "intra-zone default rule" - which can not being hit when a deny/any/any statement is placed before.</P><P>&nbsp;</P><P>The best practice is to set logging to "at session end" and you can safely enable the logging on those rules as I do primarily assume you do not want this rule to be it but when it gets hit you want to see it in the logs.</P><P>&nbsp;</P><P>Kind regards,</P><P><BR />Rene</P> Thu, 11 Jul 2019 15:29:05 GMT https://live.paloaltonetworks.com/t5/general-topics/default-deny-logging-question/m-p/276182#M75343 Rboehme 2019-07-11T15:29:05Z