How do I resolve drop code "Packet Dropped - Policy Drop"?

This article provides troubleshooting steps to resolve packets being dropped on the SonicWall firewall due to drop code "Packet Dropped - Policy Drop".

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

• Check if you have required access rules that is allowing the traffic to pass through.
• Check if the routes are correct, conflicting routes can cause issues.
• Check for incorrect NAT policies, packets are dropped if the NAT policies are are missing or incorrectly configured. 
• Check the logs for any related information. 
  

   NOTE: Change the logging level to DEBUG from Device | Log Settings while troubleshooting.

• Check if the traffic is arriving on the correct interface. SonicWall will drop the packets if the ingress interface is not the same as what SonicWall has in its route table.
• All the devices that do not require authentication such as servers, IP phones, printers, should be excluded from the SSO. You can refer: Several Ways To Bypass The SSO Authentication
• Try to disable content filtering and if it solves the issue.
• Allow the website or the category or in case it is a server, IP phone, printers or any device that do not require control exclude it from the CFS.
• Navigate to Policy | Security Services | Content Filter.
• Select Excluded Address and add the address object or group that included the devices to exclude from the CFS.
  
  
  
  

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

• Check if you have required access rules that is allowing the traffic to pass through.
• Check if the routes are correct, conflicting routes can cause issues.
• Check for incorrect NAT policies, packets are dropped if the NAT policies are are missing or incorrectly configured. 
• Check the logs for any related information. 
  

  NOTE: Change the logging level to DEBUG from Manage | Log Settings while troubleshooting.

• Check if the traffic is arriving on the correct interface. SonicWall will drop the packets if the ingress interface is not the same as what SonicWall has in its route table.
• All the devices that do not require authentication such as servers, IP phones, printers, should be excluded from the SSO, several ways to bypass the SSO authentication.
• Try to disable content filtering and if it solves the issue.
• Allow the website or the category or in case it is a server, IP phone, printers or any device that do not require control exclude it from the CFS.
• Navigate to Manage | Security Services | Content Filter.
• Select Excluded Address and add the address object or group that included the devices to exclude from the CFS.
  
  

  ---

  NOTE: Drop code numbers may change based on the firmware version, however, the drop code message (description) remains the same.

  Additional drop code articles:

  • How do I resolve drop code "Enforced Firewall Rule"?
  • How do I resolve drop code "Cache Add Cleanup"?
  • How do I resolve drop code "Packet Dropped - Policy Drop"?
  • How do I resolve drop code "IP Spoof"?
  • How do I resolve drop code "IDP Detection"?
  
  To solve Ping packets dropped with Policy Drop see KB: ICMP Packet Dropped due to Policy Drop