Traffic of Pitney Bowes franking machine dropped - drop code 99 - Enforced firewall rule

After the upgrade to 6.2.6.x firmware franking machines are not able to update their counters online.

Packet capturing the web traffic of the device shows that the requests are dropped due to "Enforced Firewall Rule" or drop code 99.

The packet is dropped by the content filter system due to the "Host tag search" as the HTTP requests generated by the franking machine do not contain a host name.

The recommended workaround is to add the IP of the franking machine to the CFS exclusion list.

If you already have setup a address object group for CFS exclusion follow these steps:

• Go to Network | Address Objects
• Create a new host address object using the franking machine IP in the correct zone
• Now add the created address object to your CFS exclusion address object group

If you have not used CFS exclusion before follow these steps:

• Go to Network | Address Objects
• Create a new host address object using the franking machine IP in the correct zone
• Create a new address object group that will hold future CFS exclusions
• Now add the new address object to the address object group
• Go to Security Services | Content Filter
• Under CFS Exclusion select the new address object group as Excluded Address

As an alternative you can also disable the enforcement of the "Host Tag Search" but this is not recommended as it can affect the accuracy of the website ratings.

To disable the Host Tag Search enforcement follow these steps:

• Log in to the SonicWall
• Replace main.html with diag.html in the browser address bar and press enter
• Click on Internal Settings
• Scroll down to the Security Services Settings section
• Disable "Enforce Host Tag Search for CFS" and click Accept at the top