Session end reason as "Threat" in traffic logs, but no threat log generated for DNS traffic dropped by Anti-Spyware profile

• In the traffic logs the session end reason is "Threat".
• In the threat logs no related logs are seen.

• Palo Alto Firewalls
• Supported PAN-OS
• DNS policies - Anti-Spyware profile

A possible cause is, the workaround of CVE-2024-3393 (e.g. DNS Security Severity Logging to "None") is applied and the settings are not reverted back after applying the fix of the vulnerability.
In this case, customer will continue to see "Session End Reason - Threat" since the DNS Policies in the Anti-Spyware profile will continue to enforce action, but there won't be any threat logs for DNS security flagged domains.

1. Confirm if logging is enabled for Security profile - Anti-Spyware profile - DNS policies
2. The below capture shows a configuration where the logging is disabled for DNS policies. 
   
    

Follow the below steps to enable logging on each of the DNS security components to generate threat logs for the traffic being matched.

1. Click on the Log severity dropdown for each component
2. Select the default severity or any other severity desired for the threat log
3. Commit 
   
     

• What is "Session End Reason: threat"?
• Session end equals Threat but no threat logs.
• Prisma Access: - If DNS Security logging is disabled for CVE-2024-3393, will it be enabled back automatically after the upgrade?