Most engineers think…
Most people troubleshoot a firewall by changing things until traffic flows — toggle a rule, rebuild a NAT, reboot, blame the ISP. That trial-and-error habit wastes hours and hides the real cause.
A SonicWall tells you exactly where a packet died if you ask it. The discipline is to localise the drop first — is it an access rule, a NAT policy, a route, or a security service (DPI/GAV/IPS/CFS)? — then use Packet Monitor to read the per-packet verdict and drop reason, and the Connections table and logs to confirm the fix. That single shift, from guessing to reading the firewall's own evidence, is what separates a slow ticket from a fast one.
① Where is it dropped? The methodology
When traffic doesn't pass a SonicWall, there is really only one useful question: where is the packet being dropped? Resist the urge to change things at random. Instead, reproduce the problem and localise the drop to one of four usual suspects.
The four suspects
An access rule can deny the zone-to-zone flow. A NAT policy can translate the address wrongly — or be missing for an inbound publish. A route can point traffic at the wrong next-hop or interface. And a security service — DPI, Gateway Anti-Virus, IPS or Content Filtering (CFS) — can silently block a flow that looks fine on paper.
The reason this matters: each suspect lives in a different place in SonicOS, and the firewall will tell you which one acted if you read its own verdict. Guessing the ISP is the cause is the classic time-sink when a DPI or CFS block is really to blame.
Traffic won't pass a SonicWall. What is the right first move?
② Packet Monitor — the primary tool
The single most useful tool is Packet Monitor, under Investigate ▸ Tools ▸ Packet Monitor in SonicOS 7. It captures packets into the firewall's buffer and can also mirror matching packets out to an external analyser. What makes it special is that it shows the firewall's own handling of each packet — whether it was Forwarded, Consumed, Generated or DROPPED — and very often the drop reason or the module that acted.
Filter first, always
Set a tight filter before you reproduce: interface, source and destination IP, port and protocol. A capture with no filter grabs everything, so the one packet you care about is buried in noise — or the buffer fills before it even arrives. Once you have the capture you can export it as a pcap and open it in Wireshark for deeper analysis.
Investigate ▸ Tools. Filtered capture/mirror that shows the firewall's per-packet verdict (forwarded/consumed/generated/dropped) and the drop reason; exports a pcap.
Investigate ▸ Logs. Categorised events with plain drop messages like 'dropped by access rule'; set filters and levels while testing.
The Active Connections Monitor — live sessions with source, destination, zone, service and NAT. Confirms whether a flow is actually being created.
System ▸ Diagnostics. A full config/state export to attach when you open a case. Collect it before you contact SonicWall Support.
Always set a tight Packet Monitor filter — interface, source/destination IP, port and protocol — before you reproduce. An unfiltered capture buries the one packet you need in noise and can fill the buffer before the real packet even arrives.
What does Packet Monitor uniquely show that a capture on a PC does not?
③ Logs / Event Monitor + the Connections table
Two more views confirm what Packet Monitor showed. The Log / Event Monitor (under Investigate ▸ Logs) lists events with categories, priorities and plain messages — including explicit drop lines like 'dropped by access rule' or 'no matching policy.' Set log filters and levels to focus on the affected flow and raise verbosity while you test.
The Connections table (the Active Connections Monitor) answers a different question: is a session even being created? It lists live flows with source, destination, zone, service and NAT mapping. If your flow never appears, the firewall isn't forwarding it; if it appears after a change, the path is at least being built. Packet Monitor tells you why a packet died; Connections tells you whether a session lives.
Exposing an internal server to the WAN needs both a NAT policy (to translate the public address) and a matching access rule (to allow WAN ▸ the server's zone). Adding only the NAT is the single most common reason a 'published' server is still unreachable.
▶ Watch a published server go from DROPPED to reachable
How one inbound connection is handled end-to-end. Press Play for the diagnosis-and-fix path, then Break it to see the classic mistake.
You added a rule and want to confirm a session is now actually being built. Where do you look?
④ System Diagnostics, the Tech Support Report & a worked flow
System ▸ Diagnostics carries the everyday probes — ping, DNS name lookup, reverse-DNS lookup, traceroute and a core/system monitor — for checking reachability and name resolution. It is also where you generate the Tech Support Report (TSR): a full config and state export you download and attach when you open a case with SonicWall Support. Collect it before you call, not after. SafeMode is the separate recovery boot mode for a box that won't start normally.
The worked flow
Put it together: reproduce ▸ Packet Monitor with a tight filter ▸ read the drop and its reason ▸ inspect the responsible access rule / NAT policy / route / DPI setting ▸ fix ▸ re-test and confirm in Connections and the logs. The pitfalls that bite people: capturing with no filter, forgetting that an inbound publish needs both a NAT policy and an access rule, blaming the ISP when a DPI/CFS block is the cause, and contacting Support without a TSR ready.
Priya at Meridian Logistics in Kochi faces this
A newly published web server in the DMZ is unreachable from the internet, even though the team insists 'the NAT is added.'
The inbound publish has a NAT policy but no matching WAN ▸ DMZ access rule, so the firewall translates the address and then drops the packet.
In Investigate ▸ Tools ▸ Packet Monitor, filter on the server IP and TCP 443 and reproduce. The inbound SYN arrives and is DROPPED with reason 'no matching access rule'; the Connections table shows no session is created.
Investigate ▸ Tools ▸ Packet Monitor + Policy ▸ Rules & PoliciesAdd the WAN ▸ DMZ access rule allowing the published service to the server, keeping the existing inbound NAT policy.
Re-run Packet Monitor — the SYN is now Forwarded — and the Connections table shows the live session; the log stops emitting the 'dropped by access rule' message.
Never close a SonicWall ticket on a hunch. After a fix, re-run Packet Monitor to see the packet Forwarded, check the Connections table for the live session, and watch the drop message disappear from the logs. Three reads, zero guessing.
Before escalating an unresolved issue to SonicWall Support, what should you have ready?
🤖 Ask the AI Tutor
Tap any question — instant, scoped to this lesson. No login, no waiting.
Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.
📝 Wrap-up assessment — six more
You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.
🧠 In your own words
Type one line: why is 'where is it dropped?' the right first question on a SonicWall, not 'is the ISP down?' Then compare with the expert version.
🗣 Teach a friend
Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.
📖 Glossary
- Packet Monitor
- SonicOS capture/mirror tool (Investigate ▸ Tools) that shows the firewall's per-packet verdict — forwarded, consumed, generated or dropped — and often the drop reason; exports a pcap.
- Capture vs Mirror
- Capture stores matching packets in the firewall buffer for inspection and export; mirror copies them out of an interface to an external analyser.
- Drop reason / module
- The firewall's stated cause for discarding a packet, such as 'no matching access rule' or 'no matching policy', shown per packet in the capture.
- Access rule
- A zone-to-zone allow or deny policy that decides whether traffic between two zones is permitted.
- NAT policy
- The rule that translates source or destination addresses, including the inbound publishing of internal servers to the WAN.
- Connections (Active Connections Monitor)
- The table of live sessions showing source, destination, zone, service and NAT mapping — confirms whether a flow is being created.
- Log / Event Monitor
- Investigate ▸ Logs view of categorised events with drop messages and adjustable filters and levels.
- Tech Support Report (TSR)
- A full configuration and state export from System ▸ Diagnostics, collected before raising a case with SonicWall Support.
- DPI / GAV / IPS / CFS
- Security services — Deep Packet Inspection, Gateway Anti-Virus, Intrusion Prevention and Content Filtering — that can silently block traffic.
- SafeMode
- A recovery boot mode for restoring firmware or settings when the firewall won't boot normally.
📚 Sources
- SonicWall — Using Packet Monitor in SonicOS 7 (capture, filters, mirror, pcap export). sonicwall.com/support/technical-documentation
- SonicWall — Investigate ▸ Logs: the Event/Log Monitor, categories, filters and levels. sonicwall.com/support
- SonicWall — Active Connections Monitor (the Connections table). sonicwall.com/support
- SonicWall — System ▸ Diagnostics: ping, DNS lookup, reverse-DNS, traceroute and tools. sonicwall.com/support
- SonicWall — How to generate a Tech Support Report (TSR). sonicwall.com/support/knowledge-base
- SonicWall — Configuring inbound NAT policies and access rules to publish a server. sonicwall.com/support/knowledge-base
What's next?
Comfortable finding the drop? Next, turn it into interview gold: the most-asked SonicWall interview questions with model answers — zones, NAT, access rules, DPI and the exact troubleshooting story to tell.