Support Center > Search Results > SecureKnowledge Details
Early drop of a connection before the final rule match Technical Level
Symptoms
  • Log with Rule Name "CP_Early_Drop".
  • Log with Rule Name "N/A".
Cause

Unified Policy may contain filter criteria that cannot be resolved on a connection's first packet, such as Application or Data. Therefore, on some connections the final rule match decision is reached only on the following data packets.

However, the Rule Base may decide to block the connection at an early stage without a final rule decision, if all potential rules of the layer for a specific connection have a Drop or Reject action. This drop will issue a log with Rule Name "CP_Early_Drop" and hits will be counted for all the potential rules.

Layer potential rules are a list of rules that have matched the connection so far, according to filter criteria that were resolved for arrived packets (IP, port, VPN tunnel etc).

Consider the following policy:

When FTP connection is opened, the potential rules that match the first packet criteria are (4,6,7). The reason is because the Skype application is searched on any port, but the final conclusion for Skype matching can be determined only on data packets. Nevertheless, since all potential rules have a Drop action, the connection will be blocked on the first packet, although final decision of the rule-base was not made.

UserCheck actions such as "Drop with Blocked Message" or "Inform" do not participate in the optimization, in order to ensure that the user will receive the reply page. Likewise, potential rule that have service with resource cancel the optimization for the connection as well.

Furthermore, when Early Drop occurs in one of the layers, previous layers matching process is stopped (because the final action of the connection is known), and the log record for these layers will either display the matched rule or "N/A" incase the layer has not reach final rule match yet.


Solution
Note: To view this solution you need to Sign In .