.. _example_service_traffic-proxy_block_appid:

######
App Id
######

This scenario shows how to configure the traffic-proxy service
to block HTTPS traffic based on ``app-id`` detection. Different
match types (``connmark``, ``vrf-connmark``) and dictionary sources
(custom CLI and XML file) are used to classify and block detected
application flows.

.. image:: block-proxy.svg
  :width: 800

***************
Block By App-Id
***************

Description
===========

This example demonstrates how to configure the
``service traffic-proxy`` to block HTTPS traffic
using ``app-id`` detection combined with
``connmark``. A custom CLI dictionary is configured
to detect the SNI ``webserver.com`` as ``app-id 1``.
The traffic selector matches any custom app-id and
the traffic policy sets ``connmark 1000`` on detected
flows, which triggers the traffic-proxy block rule.
The test first verifies that traffic is not blocked
without the app-detect policy, then enables it and
confirms that traffic is blocked and the proxy stats
reflect the blocked connection.

Scenario
========

.. include:: appid/blockbyapp-id

.. raw:: html

  <hr>

**************************
Block By App-Id Dictionary
**************************

Description
===========

This example demonstrates how to configure the
``service traffic-proxy`` to block HTTPS traffic
using ``app-id`` detection with an XML dictionary
file. The dictionary ``webserver_dict.xml`` is uploaded
to the DUT and contains application definitions with
``engine_id=128``. The traffic selector matches
``app-id engine 128`` and the traffic policy sets
``connmark 1000`` on detected flows, which triggers
the traffic-proxy block rule. The test first verifies
that traffic is not blocked without the app-detect
policy, then enables it and confirms that traffic is
blocked and the proxy stats reflect the blocked
connection.

Scenario
========

.. include:: appid/blockbyapp-iddictionary

.. raw:: html

  <hr>

**********************************
Block By APP-Id Using VRF-Connmark
**********************************

Description
===========

This example demonstrates how to configure the
``service traffic-proxy`` to block HTTPS traffic
using ``app-id`` detection combined with
``vrf-connmark``. A custom CLI dictionary is
configured to detect the SNI ``webserver.com`` as
``app-id 1``. The traffic selector matches any
custom app-id and the traffic policy sets
``vrf-connmark`` for VRF ``LAN`` on detected
flows, which triggers the traffic-proxy block rule.
The test first verifies that traffic is not blocked
without the app-detect policy, then enables it and
confirms that traffic is blocked and the proxy stats
reflect the blocked connection.

Scenario
========

.. include:: appid/blockbyapp-idusingvrf-connmark

.. raw:: html

  <hr>