Logging Connections with a Policy Default Action

A policy's default action determines how the system handles traffic that matches none of the rules in the policy (except Monitor rules in access control and decryption policies, which match and log—but do not handle or inspect—traffic).

Logging settings for the decryption policies default action also govern how the system logs undecryptable sessions.

Before you begin

  • For prefilter default action logging, set the default action to Block all tunnel traffic. Logging is disabled for the Allow all tunnel traffic action, which allows connections to continue with access control, where other configurations determine their handling and logging.

Procedure

Step 1

In the policy editor, click the Default Logging and Inspection (default logging and inspection icon) next to the Default Action drop-down list.

Step 2

Specify when you want to log matching connections:

  • Log at Beginning of Connection—Not supported for SSL default actions.
  • Log at End of Connection—Not supported if you choose the access control Block All Traffic default action or the prefilter Block all tunnel traffic default action.

To optimize performance, log either the beginning or the end of any connection, but not both.

If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration. In an access control policy, the configuration may also be inherited from an ancestor policy.

Step 3

Specify where to send connection events.

Send events to the event viewer if you want to perform management center-based analysis on these connection events.

Step 4

Click Apply.

Step 5

Click Save to save the policy.

What to do next

  • Deploy configuration changes.