03-16-2022 09:47 AM
What I read the best practice is to enable log at session end, is there any use case to enable log at session start?
03-16-2022 10:10 AM
If you want to log Deny or if you are troubleshooting a policy, enable "log at session start"
03-16-2022 03:55 PM
You don't need to log at start in a deny rule to get a log entry. But logging at start can be useful in debugging:
1) Sessions that are long running - You get an initial log when the connection starts, and then another entry hours later when the connection ends. You don't have to look at Session Browser to try and pick out a live connection (the filtering tools in Session Browser are far more limited than Traffic Log).
2) Session parameters change over time - The connection is initially allowed in one rule, but then later the AppID reclassifies the connection which matches a different rule (i.e. the start log shows it as allowed under a rule "source->dest web-browsing allow", but the end log shows it under a different rule "src->dest social-media-whatever block").
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!