Gateway AV and packet monitor

djhurt1

We have a client software that reaches out to an on prem. server for updates. Our TZ570 units are flagging the files as a virus per the cloud database. I've added an exception for one signature now a few days later it's triggering via a different signature. When the update was failing I initially did a packet monitor to see if it was indeed the firewall blocking. I eventually did a monitor of everything and searched the results. No dropped packets. However going through the log monitor there was a plethora of events logged pertaining to a transfer from server A to client B with their specific Ip addresses listed as src and dst accordingly. My question is why do these not show up in packet monitor as dropped? Only in the log monitor. I naively assumed the packet monitor looked at everything on all interfaces and captured accordingly.

TKWITS

Have you considered adding a blanket exception to GAV for the on prem server rather than individual signatures?

To answer the question, the firewall may not be 'dropping' the packets. The packet monitor doesn't tell you what security services are doing, strictly what traffic is passing an interface.

https://www.sonicwall.com/support/knowledge-base/how-can-i-setup-and-utilize-the-packet-monitor-feature-for-troubleshooting/170513143911627/

djhurt1

@TKWITS

Interesting that you said that. In the end I did in fact end up setting a blanket exception for the server. Been trouble free for a couple days now.

I guess the word dropped wasn't the best to use. I was hoping the packet monitor would somehow indicate that something was flagged with the packet since it does hit an interface but doesn't make it through to the DST.