PCNSA Question #269: Real Exam Question with Answer & Explanation

The correct answer is B: Enable Log at Session End.. The best practice for logging traffic on a Palo Alto Networks firewall is to enable 'Log at Session End' to capture complete session details including byte counts and application information.

Submitted by tarun92· Apr 18, 2026Policy Evaluation and Management

Question

An administrator would like to follow the best-practice approach to log the traffic that traverses the firewall. What action should they take?

Options

AEnable both Log at Session Start and Log at Session End.
BEnable Log at Session End.
CEnable Log at Session Start.
DDisable all logging options.

Explanation

The best practice for logging traffic on a Palo Alto Networks firewall is to enable 'Log at Session End' to capture complete session details including byte counts and application information.

Common mistakes.

A. Enabling both 'Log at Session Start' and 'Log at Session End' generates two log entries per session, which can unnecessarily increase log volume and storage requirements.
C. Enabling 'Log at Session Start' only records the initiation of the session, missing crucial information like total bytes transferred, application details, and any threats detected during the session.
D. Disabling all logging options prevents any record of traffic traversing the firewall, which is contrary to security best practices and compliance requirements.

Concept tested. Security policy logging best practices

Reference. https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-policy/security-policy-actions/security-policy-logging

Topics

#Logging#Security Policy#Best Practices#Session Logging

Community Discussion

No community discussion yet for this question.

Full PCNSA Practice Browse All PCNSA Questions