Beginning vs End-of-Connection Logging
You can log a connection at its beginning or its end, with the following exceptions for blocked traffic:
-
Blocked traffic—Because blocked traffic is immediately denied without further inspection, usually you can log only beginning-of-connection events for blocked traffic. There is no unique end of connection to log.
-
Blocked encrypted traffic—When you enable connection logging in an SSL policy, the system logs end-of-connection rather than beginning-of-connection events. This is because the system cannot determine if a connection is encrypted using the first packet in the session, and thus cannot immediately block encrypted sessions.
To optimize performance, log either the beginning or the end of any connection, but not both. Monitoring a connection for any reason forces end-of-connection logging. For a single non-blocked connection, the end-of-connection event contains all of the information in the beginning-of-connection event, as well as information gathered over the duration of the session.
The following table details the differences between beginning and end-of-connection events, including the advantages to logging each.
|
Beginning-of-Connection Events |
End-of-Connection Events | |
|---|---|---|
|
Can be generated... |
When the system detects the beginning of a connection (or, after the first few packets if event generation depends on application or URL identification) |
When the system:
|
|
Can be logged for... |
All connections except those blocked by the SSL policy |
Most connections |
|
Contain... | Only information that can be determined in the first packet (or the first few packets, if event generation depends on application or URL identification) |
All information in the beginning-of-connection event, plus information determined by examining traffic over the duration of the session; for example, the total amount of data transmitted or the timestamp of the last packet in the connection |
|
Are useful... |
If you want to log:
|
If you want to:
|