How do I resolve drop code "Enforced Firewall Rule"?

06/27/2023 218 People found this article helpful 491,268 Views

Description

This article provides troubleshooting steps to resolve packets being dropped on the SonicWall firewall due to drop code "Enforced Firewall Rule".

Cause

This drop code evidences a discrepancy between the actions performed and the actual configuration on the firewall that either is not allowing to pass the traffic through, new rules must be configured in order to let it pass or some services that are suppose to be allowing certain traffic, are not working as expected. This can be caused not only by a specific service but involves the entire configuration of the firewall including firewall access rules, NAT policies, routing policies, etc.

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

The Drop Code "Enforced Firewall Rule" may be resolved by:

Check the access rules in the traffic direction involved (i.e. from LAN to WAN): try creating a rule to allow all the traffic and assign high priority and check if the issue still happens. If not, you may want to check all the rules in this intersection.
If you're trying to reach one interface of the firewall, make sure that on the related access rule the checkbox "Enable Management" is ticked (under Network | System | Interfaces).
Check the logs to see if there's any hint of the drop.
NOTE: Make sure the logging level (Device | Log | Settings) is set to DEBUG throughout the troubleshooting. Remove DEBUG after troubleshooting.
Disable App Rules from Policy | Rules and Policies| App Rules and test. If it works, you may want to check your App Rules.
Disable App Control Advanced from Policy | Security Services | App Control and test it. If it works, you may want to check your App Control settings.
Disable Content Filtering. If it works, you may want to check your Content Filtering Configuration.
Disable SSL Control. If it works, you may want to check your SSL Control settings
NOTE: Make sure the categories related to the above mentioned services are enabled in Log | Settings. if not enabled, logs will not be generated.
If the packet being dropped is the initial TCP SYN packet, then check Access rules, NAT and Route polices. If packets are dropped after the TCP 3-WAY handshake, then it might be due to either App Control, CFS or SSL Control. Ex: [PSH,ACK] drop due to CFS. The Hex Dump would show HTTP request with the website domain name.
If SSO is enabled, make sure it is authenticating the users correctly, otherwise, you may have to check SSO settings.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

The Drop Code "Enforced Firewall Rule" may be resolved by:

Check the access rules in the traffic direction involved (i.e. from LAN to WAN): try creating a rule to allow all the traffic and assign high priority and check if the issue still happens. If not, you may want to check all the rules in this intersection.
If you're trying to reach one interface of the firewall, make sure that on the related access rule the checkbox "Enable Management" is ticked (under Manage | Network | Interfaces).
Check the logs to see if there's any hint of the drop.
NOTE: Make sure the logging level (Manage | Log Settings) is set to DEBUG throughout the troubleshooting. Remove DEBUG after troubleshooting.
Disable App Rules from Manage | Rules | App Rules and test. If it works, you may want to check your App Rules.
Disable App Control Advanced from Manage | Rules | App Control and test it. If it works, you may want to check your App Control settings.
Disable Content Filtering. If it works, you may want to check your Content Filtering Configuration.
Disable SSL Control. If it works, you may want to check your SSL Control settings
NOTE: Make sure the categories related to the above mentioned services are enabled in Log | Settings. if not enabled, logs will not be generated.
If the packet being dropped is the initial TCP SYN packet, then check Access rules, NAT and Route polices. If packets are dropped after the TCP 3-WAY handshake, then it might be due to either App Control, CFS or SSL Control. Ex: [PSH,ACK] drop due to CFS. The Hex Dump would show HTTP request with the website domain name.
If SSO is enabled, make sure it is authenticating the users correctly, otherwise, you may have to check SSO settings.

NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.

Additional drop code articles:

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

How do I resolve drop code "Enforced Firewall Rule"?

Description

Cause

Resolution

Resolution for SonicOS 7.X

Resolution for SonicOS 6.5

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch