How to identify which policy is dropping packets.

Bill2024e · June 22

I ran a packet capture and see the activity below. How do I figure out which specific policy is dropping this? Extra points if you can be specific.

Ethernet Header
Ether Type: IP(0x800), Src=[c8:9e:43:60:91:47], Dst=[18:c2:41:17:72:57]
IP Packet Header
IP Type: UDP(0x11), Src=[10.10.70.250], Dst=[10.10.70.1]
UDP Packet Header
Src=[59096], Dst=[137], Checksum=0x38c0, Message Length=58 bytes
Application Header
NETBIOS Ns:
Value:[1]
DROPPED, Drop Code: 727(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2722_qpmjdzDifdl) 3:2)

Bill2024e · June 26

https://community.sonicwall.com/technology-and-support/discussion/comment/21516#Comment_21516

So after a bit of digging, it appears I have to use the "Firewall Action" log template ( https://www.sonicwall.com/support/technical-documentation/docs/sonicos-7.0.1-device_log/Content/Logs_Settings/logs-settings-firewall-template.htm/

and then changing the log level to inform, I can see all times that policies are hit and which ones are involved.

Thank you!

Arkwright · June 24

Unbelievably, you can't. All this drop code, module, ref.Id, etc looks like it would be a way to actually answer your question but it is not.

The short answer to this specific packet drop is that the firewall won't be listening on port 135.

MarkD · June 24

You can change the log level to "firewall action" and use this in conjunction with the packet monitor

Join the Conversation

How to identify which policy is dropping packets.

Best Answer

Answers