html extracted from packet capture - which policy blocks?

Alberto

*Packet number: 45*
Header Values:
 Bytes captured: 66, Actual Bytes on the wire: 66
Packet Info(Time:10/27/2023 13:59:37.672):
 in:X0*(interface), out:--, DROPPED, Drop Code: 726(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2251_qpmjdzDifdl), 16:16)
Ethernet Header
 Ether Type: IP(0x800), Src=[ec:02:73:ab:e4:7f], Dst=[c2:ea:e4:f5:65:ae]
IP Packet Header
 IP Type: TCP(0x6), Src=[10.5.101.29], Dst=[188.114.97.7]
TCP Packet Header
 TCP Flags = [SYN,], Src=[59724], Dst=[443], Checksum=0xe750
Application Header
 HTTPS
Value:[1]
Hex and ASCII dump of the packet:
 c2eae4f5 65aeec02 73abe47f 08004500 0034a53b 40007f06 *....e...s.....E..4.;@...*
 c9ec0a05 651dbc72 6107e94c 01bb0bbc e39f0000 000080c2 *....e..ra..L............*
 2000e750 00000204 05b40103 03080101 0402              * ..P..............      *

Can I determine from the codes which ACL is blocking?

(Ref.Id: _2251_qpmjdzDifdl), 16:16)

?

TonyA

You can check the source and destination IP addresses to get an idea of the traffic flow and start with access rules. Match the zones to those Ip's and check if you have any deny rules.

Policy drop usually is access rules.

Destination address looks like an internet address, so that should be WAN zone

and the source looks like it could be an internal IP

You can also see the destination port is 443 so https traffic

Example: source ip is an internal address behind x0 which is a LAN zone, and the destination address is an address on the internet that would be WAN zone - so you would be checking LAN to WAN access rules.

Arkwright

As far as I know, the answer to this seemingly obvious question is "no". When I spoke to someone in third line a few years ago, he also said that "policy" can mean, NAT policy, access policy or route policy as well, so it's not even as simple as just which firewall rule!