I must be doing something wrong. We have an egress policy (trust to untrust) blocking outbound port 25. From "any" To "any".
I want to log all hits against this policy, as an early warning of machines inside our network infected with spam bots.
For logging, I've been through the various options-- none of them successful so far. I've set a counter with a threshold of at least 1 per minute. (tried with and without counting enabled) I've enabled the option to "Log at session init time".
After applying the config, I tested and the blocking part works-- outbound 25/TCP is solidly blocked. BUT, there is no logging. When I view the log for that policy, it's empty even though I've repeatedly triggered the rule intentionally.