https://live.paloaltonetworks.com/t5/general-topics/logging-for-deny-drop-policy/m-p/382821#M89885 <P>Not really much point in logging session end as the traffic will be denied anyhow depending on the actual policy so why wait for the FIN/FIN ACK.</P><P>&nbsp;</P><P>I tend not to log deny policies unless for debug and when i do need logging I only ever use "session start" as the log entry will be generated on the first packet and also do not forward to Panorama.</P><P>&nbsp;</P><P>I do however always log session end on my allow policies.</P><P>HTH.</P> Fri, 29 Jan 2021 08:18:34 GMT Mick_Ball 2021-01-29T08:18:34Z https://live.paloaltonetworks.com/t5/general-topics/logging-for-deny-drop-policy/m-p/382808#M89884 <P>Hi Team,</P><P>&nbsp;</P><P>what is the recommended/ best practice logging option for policies with action set as deny/drop? is it "log at session end" or "log at session start"?</P><P>&nbsp;&nbsp;</P> Fri, 29 Jan 2021 06:25:18 GMT https://live.paloaltonetworks.com/t5/general-topics/logging-for-deny-drop-policy/m-p/382808#M89884 Marsooq_A 2021-01-29T06:25:18Z https://live.paloaltonetworks.com/t5/general-topics/logging-for-deny-drop-policy/m-p/382821#M89885 <P>Not really much point in logging session end as the traffic will be denied anyhow depending on the actual policy so why wait for the FIN/FIN ACK.</P><P>&nbsp;</P><P>I tend not to log deny policies unless for debug and when i do need logging I only ever use "session start" as the log entry will be generated on the first packet and also do not forward to Panorama.</P><P>&nbsp;</P><P>I do however always log session end on my allow policies.</P><P>HTH.</P> Fri, 29 Jan 2021 08:18:34 GMT https://live.paloaltonetworks.com/t5/general-topics/logging-for-deny-drop-policy/m-p/382821#M89885 Mick_Ball 2021-01-29T08:18:34Z