Different drop codes in SonicOSX with Security Policies

This article explains about the different drop code and packet behavior when there is no Security Policy, when there is a Any-Any-Any Security Policy with Action set to Deny, and when there is a Security Policy with a specific Web Category selected but still the Action is set to Deny

1) When there is no Security Policy that is configured on the firewall

When there is no Security policy that is configured from LAN to WAN, but when the device on the LAN tries to reach any external IP/domain, the SYN packet would be dropped by the firewall stating DROPPED, Drop Code: 105(Enforced firewall rule(#1)), Module Id: 25(network)

2) When there is a Any-Any-Any Security Policy with the Action that is set to Deny that is configured on 
the firewall

When there is a Security policy that is configured from LAN to WAN, with the Action that is set to Deny and when the traffic matches the Security Policy, then the SYN packet would be dropped by the firewall stating DROPPED, Drop Code: 948(Deny Policy), Module Id: 25(network)

3) When there is a Any-Any-Any Security Policy with the Action that is set to Deny but if it also has a 
Web Category Selected 

When there is a Security policy that is configured from LAN to WAN, with the Action that is set to Deny but when it also has a Web Category Selected, then for any traffic that matches that rule, the TCP 3 way handshake is expected to complete and if the site that was being accessed belonged to the Category that is included in the rule, and when there is no URI rating in the CFS local cache, then the traffic will be dropped stating DROPPED, Drop Code: 933(Packet dropped - policy CFS drop), Module Id: 25(network)

So, if the rating for an URI is already existing in the CFS cache, and when the policy is matched by web category, since DENY action is configured, the packet will finally be dropped by policy engine with code DROPPED, Drop Code: 948(Deny Policy), Module Id: 25(network).