How do I resolve drop code "Enforced Firewall Rule"?

Description

This article provides troubleshooting steps to resolve packets being dropped on the SonicWall firewall due to drop code "Enforced Firewall Rule".

Cause

This drop code evidences a discrepancy between the actions performed and the actual configuration on the firewall that either is not allowing to pass the traffic through, new rules must be configured in order to let it pass or some services that are suppose to be allowing certain traffic, are not working as expected. This can be caused not only by a specific service but involves the entire configuration of the firewall including firewall access rules, NAT policies, routing policies, etc.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

The Drop Code "Enforced Firewall Rule" may be resolved by:

  • Check the access rules in the traffic direction involved (i.e. from LAN to WAN): try creating a rule to allow all the traffic and assign high priority and check if the issue still happens. If not, you may want to check all the rules in this intersection.
  • If you're trying to reach one interface of the firewall, make sure that on the related access rule the checkbox "Enable Management" is ticked (under Network | System | Interfaces).
  • Check the logs to see if there's any hint of the drop.

    NOTE: Make sure the logging level (Device | Log | Settings) is set to DEBUG throughout the troubleshooting. Remove DEBUG after troubleshooting.

  • Disable App Rules from Policy | Rules and Policies| App Rules and test. If it works, you may want to check your App Rules.
  • Disable App Control Advanced from Policy | Security Services | App Control and test it. If it works, you may want to check your App Control settings.
  • Disable Content Filtering. If it works, you may want to check your Content Filtering Configuration.
  • Disable SSL Control. If it works, you may want to check your SSL Control settings

    NOTE: Make sure the categories related to the above mentioned services are enabled in Log | Settings. if not enabled, logs will not be generated. 

  • If the packet being dropped is the initial TCP SYN packet, then check Access rules, NAT and Route polices. If packets are dropped after the TCP 3-WAY handshake, then it might be due to either App Control, CFS or SSL Control. Ex: [PSH,ACK] drop due to CFS. The Hex Dump would show HTTP request with the website domain name.

  • If SSO is enabled, make sure it is authenticating the users correctly, otherwise, you may have to check SSO settings.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

The Drop Code "Enforced Firewall Rule" may be resolved by:

  • Check the access rules in the traffic direction involved (i.e. from LAN to WAN): try creating a rule to allow all the traffic and assign high priority and check if the issue still happens. If not, you may want to check all the rules in this intersection.
  • If you're trying to reach one interface of the firewall, make sure that on the related access rule the checkbox "Enable Management" is ticked (under Manage | Network | Interfaces).
  • Check the logs to see if there's any hint of the drop.

    NOTE: Make sure the logging level (Manage | Log Settings) is set to DEBUG throughout the troubleshooting. Remove DEBUG after troubleshooting.

  • Disable App Rules from Manage | Rules | App Rules and test. If it works, you may want to check your App Rules.
  • Disable App Control Advanced from Manage | Rules | App Control and test it. If it works, you may want to check your App Control settings.
  • Disable Content Filtering. If it works, you may want to check your Content Filtering Configuration.
  • Disable SSL Control. If it works, you may want to check your SSL Control settings

    NOTE: Make sure the categories related to the above mentioned services are enabled in Log | Settings. if not enabled, logs will not be generated. 

  • If the packet being dropped is the initial TCP SYN packet, then check Access rules, NAT and Route polices. If packets are dropped after the TCP 3-WAY handshake, then it might be due to either App Control, CFS or SSL Control. Ex: [PSH,ACK] drop due to CFS. The Hex Dump would show HTTP request with the website domain name.

  • If SSO is enabled, make sure it is authenticating the users correctly, otherwise, you may have to check SSO settings.


NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.

Additional drop code articles:


Related Articles

  • Using 31-Bit Prefixes on IPv4 Address Error: Index of the interface: Invalid IP Address
    Read More
  • How to block a website using CFS 4.0 CLI commands
    Read More
  • How to Configure Wire / Tap mode in SonicOS
    Read More

Categories

Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall NSA Series
Firewalls
TZ Series
not finding your answers?
Ask the Community
was this article helpful?
YesNo