Video<\/a><\/li><\/ul><\/nav><\/div>\n\nIdentify discarded packages<\/h2>\n\n
To recognize dropped packets, use the Sophos Firewall log viewer<\/strong>.\nThis shows which modules are responsible for dropping a packet.\nThe most important modules include: <\/p>\n\n\n- Firewall<\/strong><\/li>\n\n\n\n
- Web filter<\/strong><\/li>\n\n\n\n
- Application filter<\/strong><\/li>\n\n\n\n
- Intrusion Prevention System (IPS)<\/strong><\/li>\n\n\n\n
- Advanced Threat Protection (ATP)<\/strong><\/li>\n\n\n\n
- Web Protection<\/strong><\/li>\n<\/ul>\n\n
By using filters in the Log Viewer, you can search specifically for discarded packages.\nFor example, you can set a filter that only shows packets that are not allowed. <\/p>\n\n
Step-by-step instructions<\/strong><\/h3>\n\n\n- Open the Log Viewer<\/strong>.<\/li>\n\n\n\n
- Select the corresponding module (e.g. firewall).<\/li>\n\n\n\n
- Add a filter that displays the discarded packages.\n
\n- Set the filter for “Log Subtype” to “Is Not Allowed”.<\/li>\n<\/ul>\n<\/li>\n\n\n\n
- Analysis of the discarded packages based on the messages in the Log Viewer.<\/li>\n<\/ol>\n\n
Please note that the Log Viewer only saves a limited number of logs and is not suitable for real-time monitoring.\nFor real-time analysis, we recommend using the Packet Capture Tool<\/strong>. <\/p>\n\nFrequent error messages for discarded packages<\/h2>\n\n
Discarded packages can have various causes, which are displayed in the Log Viewer.\nThe most common error messages include <\/p>\n\n
\n- Invalid Packet<\/strong>: Refers to rejected TCP RST or TCP FIN packets to prevent attacks.<\/li>\n\n\n\n
- No ICMP Record Found<\/strong>: A response ping was received without a corresponding request and discarded.<\/li>\n\n\n\n
- Could Not Associate Packet to Any Connection<\/strong>: The packet does not belong to any known connection and is discarded.<\/li>\n<\/ul>\n\n
Another scenario that can lead to dropped packets is asymmetric routing<\/strong>, where the firewall cannot assign the packets correctly.<\/p>\n\nThe Packet Capture Tool<\/strong> enables a detailed analysis of data traffic.\nThis allows administrators to see which firewall rules and security functions influence the data flow.\nFor example, it can be determined whether the web filter or another security function is blocking the packet. <\/p>\n\nStep-by-step instructions<\/strong><\/h3>\n\n\n- Navigate to Diagnostics > Packet Capture<\/strong>.<\/li>\n\n\n\n
- Configure the packet filter with the relevant IP addresses and protocols.<\/li>\n\n\n\n
- Activate packet capture while the problem is being reproduced.<\/li>\n\n\n\n
- Analysis of the recorded packets with regard to dropped or blocked connections.<\/li>\n<\/ol>\n\n
Troubleshooting using examples<\/h2>\n\n
The following describes some common scenarios in which packages are discarded and the corresponding solutions.<\/p>\n\n
Dropped packets due to firewall rules<\/h3>\n\n
Example: An internal computer cannot ping another computer in the network.<\/p>\n\n
\n- Use the Packet Capture Tool to check whether the packets are received and forwarded by the firewall.<\/li>\n\n\n\n
- If the packets are not forwarded, a missing firewall rule could be the problem.\nA new rule that allows ping traffic solves the problem. <\/li>\n<\/ul>\n\n
Discarded packages due to web filter<\/h3>\n\n
Example: A website such as youtube.com<\/strong> is blocked.<\/p>\n\n\n- Check the web filter logs in the Log Viewer.<\/li>\n\n\n\n
- If the website is blocked due to a policy, a new URL group can be created to allow specific websites while others remain blocked.<\/li>\n<\/ul>\n\n
Best Practices<\/h2>\n\n