Unified Policy may contain filter criteria that cannot be resolved on a connection's first packet, such as Application or Data. Therefore, on some connections the final rule match decision is reached only on the following data packets.

However, the Rule Base may decide to block the connection at an early stage without a final rule decision, if all potential rules of the layer for a specific connection have a Drop or Reject action. This drop will issue a log with Rule Name "CP_Early_Drop" and hits will be counted for all the potential rules.

The purpose of this optimization is to improve security by dropping the connection as soon as possible. 
However, if you want to get full visibility on the exact rules that dropped the connection, you can turn off the optimization.

Do the following to change the global parameter permanently:

1. Connect to the command line on the Security Gateway.

2. Login to the Expert mode.

3. Set the value of the kernel parameter up_early_drop_optimization to 0 permanently:

   1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

      [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf

   2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

      [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf

   3. Add the following line (spaces and comments are not allowed):

      up_early_drop_optimization=0

   4. Save the changes and exit from Vi editor.

   5. Check the content of the $FWDIR/boot/modules/fwkern.conf file:

      [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf

   6. Reboot the Security Gateway.

4. In SmartConsole, install the policy.

5. Make sure that the new value was set:

   [Expert@HostName]# fw ctl get int up_early_drop_optimization