https://www.paloaltonetworks.com/docume ... gging.html
Session End Reason Description
The firewall detected a threat associated with a reset, drop, or block (IP address) action that is defined in a security rule.
The session matched a security policy with a deny or drop action.
The client sent a TCP reset to the server.
The server sent a TCP reset to the client.
The session dropped because of a system resource limitation. For example, the session could have exceeded the number of out-of-order packets allowed per flow or the global out-of-order packet queue.
One host or both hosts in the connection sent a TCP FIN message to close the session.
A session is reused and the firewall closes the previous session.
The decoder detects a new connection within the protocol (such as HTTP-Proxy) and ends the previous connection.
The session aged out.
This value applies in the following situations:
For logs generated in a PAN-OS release that does not support the session end reason field (releases older than 6.1), the value will be unknown after an upgrade to the current PAN-OS release or after the logs are loaded onto the firewall.
In Panorama, logs received from firewalls for which the PAN-OS version does not support session end reasons will have a value of unknown.