How do I resolve drop code "Enforced Firewall Rule"?
03/26/2020 69 16314
This article provides troubleshooting steps to resolve packets being dropped on the SonicWall firewall due to drop code "Enforced Firewall Rule".
This drop code evidences a discrepancy between the actions performed and the actual configuration on the firewall that either is not allowing to pass the traffic through, new rules must be configured in order to let it pass or some services that are suppose to be allowing certain traffic, are not working as expected. This can be caused not only by a specific service but involves the entire configuration of the firewall including firewall access rules, NAT policies, routing policies, etc.
The Drop Code "Enforced Firewall Rule" may be resolved by:
- Check the access rules in the traffic direction involved (i.e. from LAN to WAN): try creating a rule to allow all the traffic and assign high priority and check if the issue still happens. If not, you may want to check all the rules in this intersection.
- If you're trying to reach one interface of the firewall, make sure that on the related access rule the checkbox "Enable Management" is ticked (under Manage | Network | Interfaces).
- Check the logs to see if there's any hint of the drop.
NOTE: Make sure the logging level (Manage | Log Settings) is set to DEBUG throughout the troubleshooting. Remove DEBUG after troubleshooting.
- Disable App Rules from Manage | Rules | App Rules and test. If it works, you may want to check your App Rules.
- Disable App Control Advanced from Manage | Rules | App Control and test it. If it works, you may want to check your App Control settings.
- Disable Content Filtering. If it works, you may want to check your Content Filtering Configuration.
- Disable SSL Control. If it works, you may want to check your SSL Control settings
NOTE: Make sure the categories related to the above mentioned services are enabled in Log | Settings. if not enabled, logs will not be generated.
If the packet being dropped is the initial TCP SYN packet, then check Access rules, NAT and Route polices. If packets are dropped after the TCP 3-WAY handshake, then it might be due to either App Control, CFS or SSL Control. Ex: [PSH,ACK] drop due to CFS. The Hex Dump would show HTTP request with the website domain name.
- If SSO is enabled, make sure it is authenticating the users correctly, otherwise, you may have to check SSO settings.
NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.
Additional drop code articles: