Palo Alto Networks Knowledgebase: Session Log Best Practices
Session Log Best Practices
Created On 09/26/18 13:50 PM - Last Updated 02/07/19 23:47 PM
Session logging is a useful troubleshooting tool for debugging policy problems.
When creating or editing a security rule, an option to log the transaction is available with two options, Log at Session Start or Log at Session End.
For regular logging, the best practice is to log at session end. The reason for that is that applications are likely to change throughout the lifespan of the session. Facebook for example will start as web-browsing and change to Facebook-base after the firewall recognized the application. Logging at Session Start would only show web-browsing which might lack important information if policy rules include facebook-base as application.
Logging at session start is usually used when troubleshooting applications that don't change over the course of the session, or applications that aren't recognized by the firewall.
It is not recommended to log both at session start and at session end as this puts extra load on the management plane's CPU.