topic Re: log at session end? in General Topics https://live.paloaltonetworks.com/t5/general-topics/log-at-session-end/m-p/435657#M96089 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>,</P><P>So the thing to keep in mind is that (in a normal configuration) the firewall will be analyzing the session looking for things like vulnerabilities or malicious files already. If it identifies anything, it'll generate the log for the identification and likely close the session at the same time depending on how you have things configured.&nbsp;</P><P>In the event that you simply want to know that you have a long-running session being used to transfer files, logging at session start really wouldn't give you any additional information there through traffic logs. It's just going to log the start and end of the session. You really need to be monitoring the current sessions traffic to really can actionable information from that regard, which would generally be done via netflow monitoring or using SNMP/API to monitor the session table.&nbsp;</P> Wed, 22 Sep 2021 03:41:09 GMT BPry 2021-09-22T03:41:09Z log at session end? https://live.paloaltonetworks.com/t5/general-topics/log-at-session-end/m-p/435574#M96084 <P>I have around 500 policies having 'log at session end' enabled and 'log at session start' disabled. I know Palo recommends logging at session end only but I also have a concern that for eg. a malicious file export that lasts for 8 hours and 10gigs go unnoticed if the session wasn't logged at the start. I am in a dilemma to enable the logging at start or not. Please shed some light on this.</P><P>Thanks.</P> Tue, 21 Sep 2021 18:56:46 GMT https://live.paloaltonetworks.com/t5/general-topics/log-at-session-end/m-p/435574#M96084 SThatipelly 2021-09-21T18:56:46Z Re: log at session end? https://live.paloaltonetworks.com/t5/general-topics/log-at-session-end/m-p/435657#M96089 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70284">@SThatipelly</a>,</P><P>So the thing to keep in mind is that (in a normal configuration) the firewall will be analyzing the session looking for things like vulnerabilities or malicious files already. If it identifies anything, it'll generate the log for the identification and likely close the session at the same time depending on how you have things configured.&nbsp;</P><P>In the event that you simply want to know that you have a long-running session being used to transfer files, logging at session start really wouldn't give you any additional information there through traffic logs. It's just going to log the start and end of the session. You really need to be monitoring the current sessions traffic to really can actionable information from that regard, which would generally be done via netflow monitoring or using SNMP/API to monitor the session table.&nbsp;</P> Wed, 22 Sep 2021 03:41:09 GMT https://live.paloaltonetworks.com/t5/general-topics/log-at-session-end/m-p/435657#M96089 BPry 2021-09-22T03:41:09Z