Logging Connections with Tunnel and Prefilter Rules

The prefilter policy applies to Firepower Threat Defense devices only.

Before you begin

Set the rule action to Block or Fastpath. Logging is disabled for the Analyze action, which allows connections to continue with access control, where other configurations determine their handling and logging.
Logging is performed on inner flows, not on the encapsulating flow.

Step 1	In the prefilter policy editor, click Edit () next to the rule where you want to configure logging. If View () appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.
Step 2	Click Logging.
Step 3	Specify whether you want to Log at Beginning of Connection or Log at End of Connection. To optimize performance, log either the beginning or the end of any connection, but not both. Because blocked traffic is immediately denied without further inspection, you cannot log end-of-connection events for Block rules.
Step 4	Specify where to send connection events: Event Viewer Syslog Server Override Severity Override Default Syslog Destination SNMP Trap Send events to the event viewer if you want to perform Cisco Defense Orchestrator-based analysis on these connection events.
Step 5	Click Save to save the rule.
Step 6	Click Save to save the policy.