Information

Title	Session Log Best Practices

URL Name	Session-Log-Best-Practices-59397

Summary	Session Log Best Practices

Validation Status	Validated - External

Publication Status	Published

Symptom

Information on Session Log Setting.

Environment

Cause

Resolution

Session logging is a useful troubleshooting tool for debugging policy problems.
When creating or editing a security rule, an option to log the transaction is available with two options, Log at Session Start or Log at Session End.

For regular logging, the best practice is to log at session end.
The reason for that is that applications are likely to change throughout the lifespan of the session.
A separate session start log is created for each individual application detected during the lifespan of a session. For example, "facebook" it will show "SSL", then "facebook-base" and other facebook related applications depending on the user's activity on the website, and if SSL decryption is configured.
Logging at "session start" is normally done for troubleshooting purpose as this puts extra load on the management plane's CPU.

Additional Information

Monitor logs displaying facebook in the start and end of sessions (including ssl, facebook-base) Monitor logs for facebook application

Legacy ID	59397

Legacy Url	http://live.paloaltonetworks.com:80/t5/Management-Articles/Session-Log-Best-Practices/ta-p/59397

Auto Assistant Signature

Session Log Best Practices