Difference between Log Forwarding for a Zone and Security Policy Log Forwarding
Palo Alto Networks firewalls allow administrators to forward logs to external servers. Log forwarding configuration can be found in security rules and also when defining a zone.
Rule Based Log Forwarding
When enabling log forwarding for a rule (or rules), the firewall will forward logs to the external server when the rule is a match. This feature is usually used for deny rules for which an administrator wants to be notified when it is triggered. Enabling this for broad allow rules (outbound internet access) can generate a lot of log traffic and is not recommended unless absolutely necessary.
Zone Log Forwarding
Zone configuration also allows for log forwarding which is very different than for security rules. Enabling this will forward zone protection logs, not traffic logs. Zone protection is configured under Network > Network Profiles > Zone Protection. Zone Log Forwarding is configured under Network > Zones. When denial of service, flood, reconnaissance or packet based protection is triggered by the firewall, it will generate a zone protection log which will be forwarded to the server.