Session Log Best Practices

Session Log Best Practices

117932
Created On 09/26/18 13:50 PM - Last Modified 10/31/23 21:36 PM


Symptom


Information on Session Log Setting.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • Session Log


Resolution


  1. Session logging is a useful troubleshooting tool for debugging policy problems.
  2. When creating or editing a security rule, an option to log the transaction is available with two options, Log at Session Start or Log at Session End.

2016-09-20_12-03-22.jpg

  1. For regular logging, the best practice is to log at session end.
  2. The reason for that is that applications are likely to change throughout the lifespan of the session.
  3. A separate session start log is created for each individual application detected during the lifespan of a session. For example, "facebook" it will show "SSL", then "facebook-base" and other facebook related applications depending on the user's activity on the website, and if SSL decryption is configured.
  4. Logging at "session start" is normally done for troubleshooting purpose as this puts extra load on the management plane's CPU.


Additional Information


Monitor logs displaying facebook in the start and end of sessions (including ssl, facebook-base) Monitor logs for facebook application

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clt5CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language