Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".


Understanding Logging


I have an fresh setup NSA3600 and configured X4 as a trunk for an Unifi AP with several SSIDs on diffrent VIDs.

If I connect to the diffrent SSIDs/Vlans I do get the appropriate DHCP lease in the right vlan.

However I get no access to the WAN.

In the logs of the NGFW I can see, that all packets from all vlans are getting dropped because of a policy:

DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_rqnke{Ejgem) 1:4)

I assured and double checked:

The access rule from the vlan/zone to WAN is priority 1, see attachment.

CFS and all other security options are not licenced and not active.

There is already the automated NAT policy for the vlan which seems to be correct


How can I find out what is blocking the traffic?

Every help is apprecheated.



Category: Firewall Management and Analytics

Best Answer

  • Options
    ArkwrightArkwright All-Knowing Sage ✭✭✭✭
    Answer ✓

    It's not the routing then - route 14 covers traffic from your problem zones to the internet.

    However, I just looked at your access rules again. The one you underlined, rule 1. What do you think that's going to do? I think that rule will only allow access from Multimedia zone to the networks that the firewall's WAN interfaces are in. Now you did say "I get no access to the WAN" and that rule will literally do just that. But I think what you really want is a destination of "Any", ie, the entire internet.


  • Options
    ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    "Packet dropped - Policy drop" is the most annoying error, it can be caused by NAT policies, access policies and I think route policies, but never tells you which one. As you've checked the first two, is there a matching route policy for this traffic?

  • Options
    BWCBWC Cybersecurity Overlord ✭✭✭

    @Trauti are you running the latest Firmware I had Packet drops in the past despite the fact that there was a matching Rule allowing the traffic. A reboot helped for a while but it got finally fixed in

    Just in case to rule this out.


  • Options
    TrautiTrauti Newbie ✭


    I think, I do, but I am not sure.

    There only is the default routes created by the appliance itself.

    It are the identical rules for X0 (working) as well as for X0:V88 (Does not work) and X4:V88 (Does not work)

  • Options
    TrautiTrauti Newbie ✭

    Hi Michael @BWC,

    yes, I´m running on and I rebooted already several times ^^

  • Options
    TrautiTrauti Newbie ✭

    Yeah, you were right. This did the trick!

    I thought "WAN Subnets" is any network behind each interface with the "WAN" zone assigned..

    But like you said, it is only the subnet of given interface..

    Thank you every much!


Sign In or Register to comment.