-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
How can I resolve drop code "IDP detection"?
06/26/2023 
1,767 People found this article helpful
491,996 Views
Description
This article explains how to troubleshoot scenarios where the firewall is seen to drop packets with the drop code.
DROPPED, Drop Code: 106(IDP detection Attack Prevented(#2)), Module Id: 25(network)
Cause
This issue is caused by one of more of the Security services blocking the traffic as it might have matched partially or completely with one of the existing signatures.
IDP detection drops can occur due to the following services.
- Security Services
- Application Control
- To find out which service is causing this drop, check the logs for Prevention Alerts.
NOTE: Make sure the categories for these services are enabled in Log | Settings. Otherwise, the logs won't be generated. - The name of the service and ID of the signature can be collected from the logs.
- Under Intrusion Prevention, check if "Prevent all" / "Detect all" are enabled for Low Priority Attacks.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor.
Review the Monitor | Logs | System Logs page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|---|---|---|
| Intrusion Prevention | Signature ID (SID) Ex. 1234 | Policy | Security Services | Intrusion Prevention | Search for SID and disable SID or bypass by IP |
| Gateway Anti-Virus | Signature ID (SID) Ex. Mal.Agent1234(Trojan) | Policy | Security Services | Gateway Anti-Virus | Search for SID and disable SID or bypass by IP |
| Anti-Spyware | Signature ID (SID) Ex. 1234 | Policy | Security Services | Anti-Spyware | Search for SID and disable SID or bypass by IP |
| Application Control | Signature ID (SID) Ex. 5 or Signature Name Ex. Proxy Access | Policy | Security Services | App Control and Policy|Rules and Policies | App Rules | Search for SID and disable SID or bypass by IP (App Control) or Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor.
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Policy | Security Services | Intrusion Prevention.
- Policy | Security Services | Gateway Anti-Virus.
- Policy | Security Services | Anti-spyware.
- Policy | Security Services | App Control
- Policy |Rules and Policies | App Rules
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the System Logs the GUI option will need to be selected under the relevant categories in the Device | Log | Settings to ensure that all details are logged to help identify the specific signature causing the block.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor.
Review the Investigate | Logs | Event Logs page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|---|---|---|
| Intrusion Prevention | Signature ID (SID) Ex. 1234 | Security Services | Intrusion Prevention | Search for SID and disable SID or bypass by IP |
| Gateway Anti-Virus | Signature ID (SID) Ex. Mal.Agent1234(Trojan) | Security Services | Gateway Anti-Virus | Search for SID and disable SID or bypass by IP |
| Anti-Spyware | Signature ID (SID) Ex. 1234 | Security Services | Anti-Spyware | Search for SID and disable SID or bypass by IP |
| Application Control | Signature ID (SID) Ex. 5 or Signature Name Ex. Proxy Access | Manage | Policies | Rules | Advanced Application Control and Manage | Policies| Rules | Application Control | Search for SID and disable SID or bypass by IP (App Control) or Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor.
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Manage | Security Configuration | Security Services | Intrusion Prevention.
- Manage | Security Configuration | Security Services | Gateway Anti-Virus.
- Manage | Security Configuration | Security Services | Anti-spyware.
- Manage | Policies | Rules | Advanced Application Control.
- Manage | Policies | Rules | Application Control.
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the Event Logs the GUI option will need to be selected under the relevant categories in the Manage | Logs and Reporting | Log Settings to ensure that all details are logged to help identify the specific signature causing the block.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
There are two routes to determine where this is being blocked based on your level of logging in the firewall.
- If logged event can be found in the Log monitor
Review the Log | Log Monitor page and filter to either the source or destination IP to determine which of the security services triggered the dropped packet. If a logged event exists showing a prevention, review the below table and how to resolve the drop.
| Detected Service | What to make note of | Where to go | What to do |
|---|---|---|---|
| Intrusion Prevention | Signature ID (SID) Ex. 1234 | Security Services | Intrusion Prevention | Search for SID and disable SID or bypass by IP |
| Gateway Anti-Virus | Signature ID (SID) Ex. Mal.Agent1234(Trojan) | Security Services | Gateway Anti-Virus | Search for SID and disable SID or bypass by IP |
| Anti-Spyware | Signature ID (SID) Ex. 1234 | Security Services | Anti-Spyware | Search for SID and disable SID or bypass by IP |
| Application Control | Signature ID (SID) Ex. 5 or Signature Name Ex. Proxy Access | Firewall | Application Control Advanced and Firewall | App Rules | Search for SID and disable SID or bypass by IP (App Control) or Search for rule that matches the signature name (App rules) |
- If logged event cannot be found in the Log monitor
Deactivate the security services in the following order to determine which security service is causing the packets to be dropped.
- Security Services | Intrusion Prevention.
- Security Services | Gateway Anti-Virus.
- Security Services | Anti-spyware.
- Firewall | Application Control Advanced.
- Firewall | App Rules.
Deactivate them individually and test after each deactivation, to see if the packets are still being dropped. As nothing appears in the Log Monitor the GUI option will need to be selected under the relevant categories in the Log | Settings to ensure that all details are logged to help identify the specific signature causing the block.
NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.
Additional drop code articles:
- How do I resolve drop code "Enforced Firewall Rule"?
- How do I resolve drop code "Cache Add Cleanup"?
- How do I resolve drop code "Packet Dropped - Policy Drop"?
- How do I resolve drop code "IP Spoof"?
- How do I resolve drop code "IDP Detection"?
Related Articles
- Cysurance Partner FAQ
- How can I enable Enhanced Audit Logging Support?
- How to stop the creation of Auto-Added Access Rules and enable the ability to edit or delete the existing rules?
Categories
- Firewalls > NSa Series > System
- Firewalls > TZ Series > System
- Firewalls > NSv Series > System
YES
NO