In the logs once the traffic accepted and then detected

**Sneha** · 2018-06-27

In the logs from the source to destination once the traffic is accepted and then detected ? and user is getting drops when detect? in detect mode the traffic shouldn't be dropped right?

Here is the attachemt:-

Click image for larger version.

Name: accept-detect.jpg
Views: 86
Size: 35.0 KB
ID: 1397

**Bob_Zimmerman** · 2018-06-28

Generally, traffic is processed by the firewall rules first, then by threat prevention (IPS, antivirus, and so on). These can generate separate logs. The firewall actions include accept, drop, and reject. The threat prevention actions include allow, detect, and deny.

Even if something is accepted by the firewall rules, threat prevention can drop it later. If something is dropped by the firewall rules, it never hits threat prevention.

**Sneha** · 2018-06-29

The log is detected by the Firewall blade - and Message information says detected due to Address spoofing.

Click image for larger version.

Name: detection log.PNG
Views: 31
Size: 27.4 KB
ID: 1399

**Bob_Zimmerman** · 2018-07-02

Originally Posted by Sneha

The log is detected by the Firewall blade - and Message information says detected due to Address spoofing.

Address spoofing drops are always caused by either misconfiguration of your antispoofing topology or routing problems. It sounds like the gateway your firewall sends this packet to is sending it right back to the firewall.