How can I resolve drop code "IDP detection"?
12/20/2019 
1386 
25101
DESCRIPTION:
This article explains how to troubleshoot scenarios where the firewall is seen to drop packets with the drop code.
DROPPED, Drop Code: 106(IDP detection Attack Prevented(#2)), Module Id: 25(network)
CAUSE:
This issue is caused by one of more of the Security services blocking the traffic as it might have matched partially or completely with one of the existing signatures.
IDP detection drops can occur due to the following services.
RESOLUTION:
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor.
Review the Investigate | Logs | Event Logs page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|
| Intrusion Prevention | Signature ID (SID)
Ex. 1234 | Security Services | Intrusion Prevention | Search for SID and disable SID or
bypass by IP |
| Gateway Anti-Virus | Signature ID (SID)
Ex. Mal.Agent1234(Trojan) | Security Services | Gateway Anti-Virus | Search for SID and disable SID or
bypass by IP |
| Anti-Spyware | Signature ID (SID)
Ex. 1234 | Security Services | Anti-Spyware | Search for SID and disable SID or
bypass by IP |
| Application Control | Signature ID (SID)
Ex. 5
or
Signature Name
Ex. Proxy Access | Firewall | Application Control Advanced
and
Firewall | App Rules | Search for SID and disable SID or
bypass by IP (App Control)
or
Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor.
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Manage | Security Configuration | Security Services | Intrusion Prevention.
- Manage | Security Configuration | Security Services | Gateway Anti-Virus.
- Manage | Security Configuration | Security Services | Anti-spyware.
- Manage | Policies | Rules | Advanced Application Control.
- Manage | Policies | Rules | Application control.
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the Event Logs the GUI option will need to be selected under the relevant categories in the Manage | Logs and Reporting | Log Settings to ensure that all details are logged to help identify the specific signature causing the block.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor
Review the Log | Log Monitor page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|
| Intrusion Prevention | Signature ID (SID)
Ex. 1234 | Security Services | Intrusion Prevention | Search for SID and disable SID or
bypass by IP |
| Gateway Anti-Virus | Signature ID (SID)
Ex. Mal.Agent1234(Trojan) | Security Services | Gateway Anti-Virus | Search for SID and disable SID or
bypass by IP |
| Anti-Spyware | Signature ID (SID)
Ex. 1234 | Security Services | Anti-Spyware | Search for SID and disable SID or
bypass by IP |
| Application Control | Signature ID (SID)
Ex. 5
or
Signature Name
Ex. Proxy Access | Firewall | Application Control Advanced
and
Firewall | App Rules | Search for SID and disable SID or
bypass by IP (App Control)
or
Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Security Services | Intrusion Prevention.
- Security Services | Gateway Anti-Virus.
- Security Services | Anti-spyware.
- Firewall | Application Control Advanced.
- Firewall | App Rules.
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the Log Monitor the GUI option will need to be selected under the relevant categories in the Log | Settings to ensure that all details are logged to help identify the specific signature causing the block.
NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.
Additional drop code articles:
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Capture Security applianceAdvanced Threat Protection for modern threat landscape
Network Security ManagerModern Security Management for today’s security landscape
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
Email SecurityProtect against today’s advanced email threats
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
