11-26-2020 07:02 AM
only logging at session end has a greater multiplier than 2, as 'session start' will log each step a session takes, which could be 3-4 steps as sessions go from app-id to app-id, especially with ssl decryption involved, so don't use 'log at session start' unless you're temporarily troubleshooting or _really_ need all the logs
all logging generated on the firewall is sent to the management plane log disk, only there additional log forwarding is performed by the varlogrcvr, so log forwarding, regardles of protocol, causes load on the MP, not on the DP
some logging will be optimized compared to other, panorama logging will have the best performance as there is queueing and some mechanisms in place to trickle logs when needed, on other protocols your mileage may vary depending on the overhead ( udp > tcp > http )
