How to identify which policy is dropping packets.
Bill2024e
Newbie ✭
I ran a packet capture and see the activity below. How do I figure out which specific policy is dropping this? Extra points if you can be specific.
Ethernet Header
Ether Type: IP(0x800), Src=[c8:9e:43:60:91:47], Dst=[18:c2:41:17:72:57]
IP Packet Header
IP Type: UDP(0x11), Src=[10.10.70.250], Dst=[10.10.70.1]
UDP Packet Header
Src=[59096], Dst=[137], Checksum=0x38c0, Message Length=58 bytes
Application Header
NETBIOS Ns:
Value:[1]
DROPPED, Drop Code: 727(Packet dropped - Policy drop), Module Id: 27(policy), (Ref.Id: _2722_qpmjdzDifdl) 3:2)
Best Answer
-
CORRECT ANSWERBill2024e
Newbie ✭
So after a bit of digging, it appears I have to use the "Firewall Action" log template (
and then changing the log level to inform, I can see all times that policies are hit and which ones are involved.
Thank you!1
Answers
Unbelievably, you can't. All this drop code, module, ref.Id, etc looks like it would be a way to actually answer your question but it is not.
The short answer to this specific packet drop is that the firewall won't be listening on port 135.
You can change the log level to "firewall action" and use this in conjunction with the packet monitor
For anyone else who finds this thread and got a little confused like I did, you have to import the FireWall Action Template first, which can be done from the Device —> Log —> Settings section.
SonicOS 7.0 Device Log - Import Template - SonicWall
That said, having imported I do not see " Firewall Action " in the list of logging parameters, and I already have a bunch of items set to inform ( there are many, many options ).
Can someone drop by and be more specific about whether one is " generally " setting all logging level to inform or some specific new type of logging parameter(s) referred to as " Firewall Action " ? Also, do these new logs show in the realtime log? I'm assuming they should.