.. _example_service_traffic-proxy_block_firewall:
########
Firewall
########
This scenario shows how to configure the traffic-proxy service
to block HTTPS traffic based on ``firewall`` rules. Different
match types (``connmark``, ``extra-connmark 1`` and ``vrf-connmark``) are used to classify
and block firewall-matched flows.
.. image:: block-proxy.svg
:width: 800
********************************
Block By Firewall Using Connmark
********************************
Description
===========
This example demonstrates how to configure the
``service traffic-proxy`` to block HTTPS traffic
using ``firewall`` rules combined with ``connmark``.
A firewall ruleset ``block.rules`` is loaded to
detect and drop TLS traffic matching a specific SNI.
The firewall bypass action sets ``connmark mark 1000``
on blocked flows, which triggers the traffic-proxy
block rule. The test first verifies that traffic is
not blocked without the firewall policy, then enables
it and confirms that traffic is blocked, the firewall
log shows the drop, and the proxy stats reflect the
blocked connection.
Scenario
========
.. include:: firewall/blockbyfirewallusingconnmark
.. raw:: html
****************************************
Block By Firewall Using Extra-Connmark 1
****************************************
Description
===========
This example demonstrates how to configure the
``service traffic-proxy`` to block HTTPS traffic
using ``firewall`` rules combined with
``extra-connmark 1``. A firewall ruleset
``block.rules`` is loaded to detect and drop TLS
traffic matching a specific SNI. The firewall bypass
action sets ``extra-connmark 1 value 1000`` on
blocked flows, which triggers the traffic-proxy
block rule. The test first verifies that traffic is
not blocked without the firewall policy, then enables
it and confirms that traffic is blocked, the firewall
log shows the drop, and the proxy stats reflect the
blocked connection.
Scenario
========
.. include:: firewall/blockbyfirewallusingextra-connmark1
.. raw:: html
********************************
Block By Firewall Using VRF-Mark
********************************
Description
===========
This example demonstrates how to configure the
``service traffic-proxy`` to block HTTPS traffic
using ``firewall`` rules combined with
``vrf-connmark``. A firewall ruleset
``block.rules`` is loaded to detect and drop TLS
traffic matching a specific SNI. The firewall bypass
action sets ``vrf-connmark`` for VRF ``LAN``
on blocked flows, which triggers the traffic-proxy
block rule. The test first verifies that traffic is
not blocked without the firewall policy, then enables
it and confirms that traffic is blocked, the firewall
log shows the drop, and the proxy stats reflect the
blocked connection.
Scenario
========
.. include:: firewall/blockbyfirewallusingvrf-mark
.. raw:: html