Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

How to identify which policy is dropping packets.

I ran a packet capture and see the activity below. How do I figure out which specific policy is dropping this? Extra points if you can be specific.

Ethernet Header
Ether Type: IP(0x800), Src=[c8:9e:43:60:91:47], Dst=[18:c2:41:17:72:57]
IP Packet Header
IP Type: UDP(0x11), Src=[10.10.70.250], Dst=[10.10.70.1]
UDP Packet Header
Src=[59096], Dst=[137], Checksum=0x38c0, Message Length=58 bytes
Application Header
NETBIOS Ns:
Value:[1]
DROPPED, Drop Code: 727(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2722_qpmjdzDifdl) 3:2)

Category: Firewall Security Services
Reply

Best Answer

Answers

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Unbelievably, you can't. All this drop code, module, ref.Id, etc looks like it would be a way to actually answer your question but it is not.

    The short answer to this specific packet drop is that the firewall won't be listening on port 135.

  • MarkDMarkD Cybersecurity Overlord ✭✭✭

    You can change the log level to "firewall action" and use this in conjunction with the packet monitor

  • BartManBartMan Newbie ✭
    edited November 6

    For anyone else who finds this thread and got a little confused like I did, you have to import the FireWall Action Template first, which can be done from the Device —> Log —> Settings section.

    SonicOS 7.0 Device Log - Import Template - SonicWall

    That said, having imported I do not see " Firewall Action " in the list of logging parameters, and I already have a bunch of items set to inform ( there are many, many options ).

    Can someone drop by and be more specific about whether one is " generally " setting all logging level to inform or some specific new type of logging parameter(s) referred to as " Firewall Action " ? Also, do these new logs show in the realtime log? I'm assuming they should.

Sign In or Register to comment.