- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How can I resolve drop code "IDP detection"?
10/14/2021 
1,452 People found this article helpful
46,177 Views
Description
This article explains how to troubleshoot scenarios where the firewall is seen to drop packets with the drop code.
DROPPED, Drop Code: 106(IDP detection Attack Prevented(#2)), Module Id: 25(network)
Cause
This issue is caused by one of more of the Security services blocking the traffic as it might have matched partially or completely with one of the existing signatures.
IDP detection drops can occur due to the following services.
- Security Services
- Application Control
- To find out which service is causing this drop, check the logs for Prevention Alerts.
NOTE: Make sure the categories for these services are enabled in Log | Settings. Otherwise, the logs won't be generated. - The name of the service and ID of the signature can be collected from the logs.
- Under Intrusion Prevention, check if "Prevent all" / "Detect all" are enabled for Low Priority Attacks.
Resolution
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor.
Review the Investigate | Logs | Event Logs page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|---|---|---|
| Intrusion Prevention | Signature ID (SID) Ex. 1234 | Security Services | Intrusion Prevention | Search for SID and disable SID or bypass by IP |
| Gateway Anti-Virus | Signature ID (SID) Ex. Mal.Agent1234(Trojan) | Security Services | Gateway Anti-Virus | Search for SID and disable SID or bypass by IP |
| Anti-Spyware | Signature ID (SID) Ex. 1234 | Security Services | Anti-Spyware | Search for SID and disable SID or bypass by IP |
| Application Control | Signature ID (SID) Ex. 5 or Signature Name Ex. Proxy Access | Firewall | Application Control Advanced and Firewall | App Rules | Search for SID and disable SID or bypass by IP (App Control) or Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor.
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Manage | Security Configuration | Security Services | Intrusion Prevention.
- Manage | Security Configuration | Security Services | Gateway Anti-Virus.
- Manage | Security Configuration | Security Services | Anti-spyware.
- Manage | Policies | Rules | Advanced Application Control.
- Manage | Policies | Rules | Application control.
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the Event Logs the GUI option will need to be selected under the relevant categories in the Manage | Logs and Reporting | Log Settings to ensure that all details are logged to help identify the specific signature causing the block.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor
Review the Log | Log Monitor page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|---|---|---|
| Intrusion Prevention | Signature ID (SID) Ex. 1234 | Security Services | Intrusion Prevention | Search for SID and disable SID or bypass by IP |
| Gateway Anti-Virus | Signature ID (SID) Ex. Mal.Agent1234(Trojan) | Security Services | Gateway Anti-Virus | Search for SID and disable SID or bypass by IP |
| Anti-Spyware | Signature ID (SID) Ex. 1234 | Security Services | Anti-Spyware | Search for SID and disable SID or bypass by IP |
| Application Control | Signature ID (SID) Ex. 5 or Signature Name Ex. Proxy Access | Firewall | Application Control Advanced and Firewall | App Rules | Search for SID and disable SID or bypass by IP (App Control) or Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Security Services | Intrusion Prevention.
- Security Services | Gateway Anti-Virus.
- Security Services | Anti-spyware.
- Firewall | Application Control Advanced.
- Firewall | App Rules.
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the Log Monitor the GUI option will need to be selected under the relevant categories in the Log | Settings to ensure that all details are logged to help identify the specific signature causing the block.
NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.
Additional drop code articles:
- How do I resolve drop code "Enforced Firewall Rule"?
- How do I resolve drop code "Cache Add Cleanup"?
- How do I resolve drop code "Packet Dropped - Policy Drop"?
- How do I resolve drop code "IP Spoof"?
- How do I resolve drop code "IDP Detection"?
Related Articles
- How to enable and configure NTP?
- Cannot edit App Control Signatures, "Error: property 'value' can't be empty value"
- SSL-VPN 2FA: How to unbind TOTP for a single user or multiple users
YES
NO