https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1222055#M123414 <P>Hello,</P> <P>Along with the above advise, check the Unified logs, they will tell you why the traffic was blocked. If you are not hosting any services that require access from the internet, I would put in a DENY ALL incoming policy.</P> <P>&nbsp;</P> <P>Regards,</P> Wed, 26 Feb 2025 20:14:38 GMT OtakarKlier 2025-02-26T20:14:38Z https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1221764#M123375 <P>New to palo's.&nbsp; I did search the topics and didnt find anything.</P> <P>Is it normal to see drop on the incoming interface to the firewall?&nbsp; Are the drops caused by policy?</P> <P>Also, what is a drop from flow state check?</P> <P>&nbsp;</P> <P>packets dropped 69498455<BR />packets dropped by flow state check 14915663</P> <P>&nbsp;</P> <P>thanks</P> Mon, 24 Feb 2025 13:36:36 GMT https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1221764#M123375 D.Tamburin 2025-02-24T13:36:36Z https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1221835#M123388 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1156642319">@D.Tamburin</a>&nbsp;,</P> <P>&nbsp;</P> <P>you can use packet capture and refer the global counter to verify the drops but it's cpu intensive, ensure that you are doing it during maintenance window to avoid any unforeseen.</P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTJCA0</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVOCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVOCA0</A></P> <P>&nbsp;</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008V0lCAE" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008V0lCAE</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 25 Feb 2025 03:40:01 GMT https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1221835#M123388 mshekh 2025-02-25T03:40:01Z https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1221892#M123393 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/1156642319">@D.Tamburin</a>&nbsp;,</P> <P>&nbsp;</P> <P>Depending on your policy it can be expected behavior.</P> <P>Are you dropping or denying traffic ?</P> <P>&nbsp;</P> <P>The difference being that a drop is silent where you simply discard the packet and don't tell anyone about it.&nbsp; A deny on the other hand sends a notification to the sender that something happened and their packet was rejected.</P> <P>&nbsp;</P> <P>Here are some posts that explain the difference between drop and deny:</P> <P><A href="https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/td-p/206863" target="_blank">https://live.paloaltonetworks.com/t5/general-topics/to-drop-or-deny/td-p/206863</A></P> <P><A href="https://live.paloaltonetworks.com/t5/community-blogs/what-a-difference-a-deny-makes/ba-p/188811" target="_blank">https://live.paloaltonetworks.com/t5/community-blogs/what-a-difference-a-deny-makes/ba-p/188811</A></P> <P>&nbsp;</P> <P>As&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/195187">@mshekh</a>&nbsp;explained you can also check with global counters and filter on the the 'drop' action.</P> <P>&nbsp;</P> <P>Here's a video explaining the process on how to go about troubleshooting silent drops on the firewall using global counters:</P> <P><A href="https://www.youtube.com/watch?v=lwYLS-dSq7I" target="_blank">https://www.youtube.com/watch?v=lwYLS-dSq7I</A></P> <P>&nbsp;</P> <P>Kind regards,</P> <P>-Kim.</P> <P>&nbsp;</P> Tue, 25 Feb 2025 08:59:35 GMT https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1221892#M123393 kiwi 2025-02-25T08:59:35Z https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1222055#M123414 <P>Hello,</P> <P>Along with the above advise, check the Unified logs, they will tell you why the traffic was blocked. If you are not hosting any services that require access from the internet, I would put in a DENY ALL incoming policy.</P> <P>&nbsp;</P> <P>Regards,</P> Wed, 26 Feb 2025 20:14:38 GMT https://live.paloaltonetworks.com/t5/general-topics/seeing-alot-of-drops-on-incoming-interface-to-palo-trying-to/m-p/1222055#M123414 OtakarKlier 2025-02-26T20:14:38Z