How can I resolve drop code "IDP detection"?
Description
This article explains how to troubleshoot scenarios where the firewall is seen to drop packets with the drop code.
DROPPED, Drop Code: 106(IDP detection Attack Prevented(#2)), Module Id: 25(network)
Cause
This issue is caused by one of more of the Security services blocking the traffic as it might have matched partially or completely with one of the existing signatures.
IDP detection drops can occur due to the following services.
- Security Services
- Application Control
- To find out which service is causing this drop, check the logs for Prevention Alerts.
NOTE: Make sure the categories for these services are enabled in Log | Settings. Otherwise, the logs won't be generated. - The name of the service and ID of the signature can be collected from the logs.
- Under Intrusion Prevention, check if "Prevent all" / "Detect all" are enabled for Low Priority Attacks.
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor.
Review the Monitor | Logs | System Logs page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|---|---|---|
| Intrusion Prevention | Signature ID (SID) Ex. 1234 | Policy | Security Services | Intrusion Prevention | Search for SID and disable SID or bypass by IP |
| Gateway Anti-Virus | Signature ID (SID) Ex. Mal.Agent1234(Trojan) | Policy | Security Services | Gateway Anti-Virus | Search for SID and disable SID or bypass by IP |
| Anti-Spyware | Signature ID (SID) Ex. 1234 | Policy | Security Services | Anti-Spyware | Search for SID and disable SID or bypass by IP |
| Application Control | Signature ID (SID) Ex. 5 or Signature Name Ex. Proxy Access | Policy | Security Services | App Control and Policy|Rules and Policies | App Rules | Search for SID and disable SID or bypass by IP (App Control) or Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor.
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Policy | Security Services | Intrusion Prevention.
- Policy | Security Services | Gateway Anti-Virus.
- Policy | Security Services | Anti-spyware.
- Policy | Security Services | App Control
- Policy |Rules and Policies | App Rules
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the System Logs the GUI option will need to be selected under the relevant categories in the Device | Log | Settings to ensure that all details are logged to help identify the specific signature causing the block.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor.
Review the Investigate | Logs | Event Logs page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|---|---|---|
| Intrusion Prevention | Signature ID (SID) Ex. 1234 | Security Services | Intrusion Prevention | Search for SID and disable SID or bypass by IP |
| Gateway Anti-Virus | Signature ID (SID) Ex. Mal.Agent1234(Trojan) | Security Services | Gateway Anti-Virus | Search for SID and disable SID or bypass by IP |
| Anti-Spyware | Signature ID (SID) Ex. 1234 | Security Services | Anti-Spyware | Search for SID and disable SID or bypass by IP |
| Application Control | Signature ID (SID) Ex. 5 or Signature Name Ex. Proxy Access | Manage | Policies | Rules | Advanced Application Control and Manage | Policies| Rules | Application Control | Search for SID and disable SID or bypass by IP (App Control) or Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor.
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Manage | Security Configuration | Security Services | Intrusion Prevention.
- Manage | Security Configuration | Security Services | Gateway Anti-Virus.
- Manage | Security Configuration | Security Services | Anti-spyware.
- Manage | Policies | Rules | Advanced Application Control.
- Manage | Policies | Rules | Application Control.
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the Event Logs the GUI option will need to be selected under the relevant categories in the Manage | Logs and Reporting | Log Settings to ensure that all details are logged to help identify the specific signature causing the block.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor
Review the Log | Log Monitor page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|---|---|---|
| Intrusion Prevention | Signature ID (SID) Ex. 1234 | Security Services | Intrusion Prevention | Search for SID and disable SID or bypass by IP |
| Gateway Anti-Virus | Signature ID (SID) Ex. Mal.Agent1234(Trojan) | Security Services | Gateway Anti-Virus | Search for SID and disable SID or bypass by IP |
| Anti-Spyware | Signature ID (SID) Ex. 1234 | Security Services | Anti-Spyware | Search for SID and disable SID or bypass by IP |
| Application Control | Signature ID (SID) Ex. 5 or Signature Name Ex. Proxy Access | Firewall | Application Control Advanced and Firewall | App Rules | Search for SID and disable SID or bypass by IP (App Control) or Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Security Services | Intrusion Prevention.
- Security Services | Gateway Anti-Virus.
- Security Services | Anti-spyware.
- Firewall | Application Control Advanced.
- Firewall | App Rules.
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the Log Monitor the GUI option will need to be selected under the relevant categories in the Log | Settings to ensure that all details are logged to help identify the specific signature causing the block.
NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.
Additional drop code articles:
