Hi @TranceforLife According to this new feature guide, since PAN-OS 6.1 the "policy-deny" reason, is because the session matched a security policy with a deny or drop action. https://www.paloaltonetworks.com/documentation/61/pan-os/newfeaturesguide/networking-features/session-end-reason-logging In other words, the app-id or port being hit, does not match an explicity policy; hence, it is most likely hitting the interzone-default policy. By the way, the interzone-default policy (at the bottom of the rule base) is not logged by default; however, you can override this configuration. Default Interzone Policy: Default Interzone Read-only: Default Interzone default action: Override Default Interzone-Policy Note: Click the Override button at the bottom of the screen Change Default Interzone default action: The reason I want to log the session at the start is because the action is "Deny" or "Drop", and I don't care about having the full session view in this case. In other words, as soon as the traffic is denied, a log is generated right away and not only at the end of the session. I hope it makes sense. Now to your original question, my point is that the policy-deny reason you are seeing is because the app-id or port is not explicitly placed in an allow policy; hence, it will hit the default deny (Interzone) policy, which is not logged by default, as I stated before. I hope this helps.
... View more