03-22-2018 07:21 AM
A drop is silent, you simply discard the packet and don't tell anyone about it. This is great for most siatuations as you don't generate more traffic on your network and outsiders who may potentially be scanning you are non the wiser
A deny sends a notification to the sender that something happened and their packet was rejected
This could be helpful in providing a 'friendly' user experience as some applications will be able to pop up an error message telling the user their connection was rejected (instead of timing out, causing the user to have to wait and possibly keep trying), and tell applications to stop trying to connect.
My inbound rules are all drop while my outbound ones are deny (for rules that only trigger on App-ID, eg. "block ftp", you can also pick from 'reset-client', 'reset-server' and 'reset-both' depending which ones are 'internal' and deserve a notification)
I wrote a couple things regarding this, fyi:
https://live.paloaltonetworks.com/t5/Tutorials/Configurable-Deny-Action/ta-p/76613
