Sttor Documentation

Appearance

Logging at session start enabled on Palo Alto Networks devices

Description

This policy detects whether logging at the start of a session is enabled on Palo Alto Networks devices. While logging at session start can provide detailed insights for troubleshooting or monitoring specific long-lived GRE tunnel connections, it typically generates a large volume of logs and can lead to resource consumption issues.

Code Example

yaml
---
- name: Example
  ...
  tasks:
    - name: Example
      paloaltonetworks.panos.panos_security_rule:
        provider: '{{ provider }}'
        rule_name: 'Test rule'
        source_zone: ['inside']
        destination_zone: ['outside']
        source_ip: ['10.10.10.1']
        category: ['any']
        application: ['ssl']
        service: ['service-http', 'service-https']
        description: "A nice rule"
        action: 'allow'
        log_setting: 'default'
        # log_start not specified, default is true which is a pass

Remediation

Palo Alto Networks

  • Resource: panos_security_rule
  • Attribute: log_start

To mitigate this risk, ensure that the `log_start` attribute is either not set (defaulting to 'false') or explicitly set to 'false' in your panos_security_rule resources. This should be the standard practice unless there is a clear, documented need to enable start-of-session logging for troubleshooting or monitoring specific scenarios.

Secure Code Example:

Rule Details

FieldValue
IDIAC-1298
SeverityLOW
IaC TypeAnsible
FrameworksAnsible
Checkov IDCKV_PAN_16

References

Copyright © 2026 Sttor