12-09-2022 02:16 PM - edited 12-09-2022 02:19 PM
@LRCAIT The default "intrazone-default" and "interzone-default" Security policies do not log by default, the interzone policy denies traffic. So if you have allow rules for an Application(s) with "application-default" Service and you do not have your own deny-everything-else Security policy, then the traffic falls thru to the "interzone-default" rule and is blocked without logging. Additionally, if you do have a deny-everything rule, but the Service in the rule is set to "application-default" (with an "any" Application) then you deny rule also won't match as the traffic may have been identified as an application that is on a non-standard port.
You can update these 2 built-in PaloAlto rules to log by selecting from the policy list and clicking "Override" at the bottom. Then edit to log traffic to your Log Forwarding profile.
