XG not logging all dropped packets?

Question

SFOS 17.1.0 GA. It looks like the logviewer doesn't show all dropped packets. 
 For example, I have an incoming NAT firewall rule that restricts access to specific hosts only. These hosts communicate every second with a device hosted behind XG. Once I remove one of the allowed hosts from the list, this host of course looses it's connection. However, I don't see any blocked packets to the destination port (8080) the NAT rule is configured for. I do see 'allow' lines, but no 'denied'. 
 Since I must modify the rule from time to time because some hosts have dynamic IPs, I can't lookup the IP anymore from the log since it doesn't appear in that. 
 Franc.

LuCar Toni · Accepted Answer

Hi, 
 it is true, XG does not log in the current build dropped packets in case XG does not find any matching rule. 
 Example: you want to build up LAN to WAN Port 1234 and you dont have any rule, you won&acute;t see the drops in the logviewer. But you can test the framework with the policy tester and you will see, there is not rule. And without rule, there can&acute;t be traffic :) 
 cheers

LuCar Toni · Answer

So - Yes. But tbh XG gives you more ways to see, what is happening than UTM. 
 There is a drppkt and tcpdump with more information. 
 The Packetfilter.log on UTM only covers the stateful firewall (and only if you have logging on in the specific rule). I dont want to go further off topic in the UTM vs XG, but i think, XG gives you more power in troubleshooting than UTM.