App Id
This scenario shows how to configure the traffic-proxy service
to block HTTPS traffic based on app-id detection. Different
match types (connmark, vrf-connmark) and dictionary sources
(custom CLI and XML file) are used to classify and block detected
application flows.
Block By App-Id
Description
This example demonstrates how to configure the
service traffic-proxy to block HTTPS traffic
using app-id detection combined with
connmark. A custom CLI dictionary is configured
to detect the SNI webserver.com as app-id 1.
The traffic selector matches any custom app-id and
the traffic policy sets connmark 1000 on detected
flows, which triggers the traffic-proxy block rule.
The test first verifies that traffic is not blocked
without the app-detect policy, then enables it and
confirms that traffic is blocked and the proxy stats
reflect the blocked connection.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in TPROXY priority high set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark mark 1000 set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system conntrack app-detect dictionary 1 custom app-id 1 fqdn webserver.com set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group port PORTS element 443 set traffic policy BLOCKED_APP rule 1 selector BLOCKED_APP set traffic policy BLOCKED_APP rule 1 set connmark 1000 set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic selector BLOCKED_APP rule 1 app-detect app-id custom -1 set traffic selector BLOCKED_APP rule 1 app-detect state detected set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.690 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.690/0.690/0.690/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.811 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.811/0.811/0.811/0.000 ms
Note
Now an HTTP/s request is made to the webserver.com service.
Step 5: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 53 0 0 1799 0 --:--:-- --:--:-- --:--:-- 1827
Step 6: Run command file show running://index.html at DUT1 and check if output does not match the following regular expressions:
.*Access Denied.*Show output
<html><body><h1>Robot HTTPs server</h1></body></html>
Note
Note that the traffic is intercepted by the traffic-proxy but is not blocked.
Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
intercepted\s+[1-9]\d*\s+[1-9]\d* blocked\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 11 1988 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 0 0 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 0 0 --------------------- Total 0 0
Note
Now it is important to enable the app-detect traffic policy so detected flows are marked and the traffic-proxy block rule is triggered.
Step 8: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 traffic policy in BLOCKED_APP priority very-high
Note
Now an HTTP/s request is made to the webserver.com service.
Step 9: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1410 100 1410 0 0 96397 0 --:--:-- --:--:-- --:--:-- 98k
Step 10: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.*Show output
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Access Denied</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; min-height: 100vh; display: flex; flex-direction: column; } .header { background-color: #2d3748; color: white; padding: 12px 24px; font-size: 18px; font-weight: 700; } .main { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 40px 20px; } h1 { font-size: 28px; font-weight: 400; color: #374151; } .footer { text-align: center; padding: 20px; color: #6b7280; font-size: 14px; } </style> </head> <body> <header class="header">OSDx</header> <main class="main"> <h1>Access Denied</h1> </main> <footer class="footer"> Blocked by OSDx </footer> </body> </html>
Note
Note that the traffic is intercepted and also blocked by the traffic-proxy.
Step 11: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 22 3976 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 9 1876 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 9 1876 --------------------- Total 9 1876
Step 12: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:08:59 UTC BLOCKED: https 192.168.1.2 48930 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:1000 emark1:0 emark2:3128 match:connmark match_value:1000
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.
Block By App-Id Dictionary
Description
This example demonstrates how to configure the
service traffic-proxy to block HTTPS traffic
using app-id detection with an XML dictionary
file. The dictionary webserver_dict.xml is uploaded
to the DUT and contains application definitions with
engine_id=128. The traffic selector matches
app-id engine 128 and the traffic policy sets
connmark 1000 on detected flows, which triggers
the traffic-proxy block rule. The test first verifies
that traffic is not blocked without the app-detect
policy, then enables it and confirms that traffic is
blocked and the proxy stats reflect the blocked
connection.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in TPROXY priority high set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark mark 1000 set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system conntrack app-detect dictionary 1 filename 'running://webserver_dict.xml' set system conntrack app-detect enable_dict_match_priv_ip set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group port PORTS element 443 set traffic policy BLOCKED_APP rule 1 selector BLOCKED_APP set traffic policy BLOCKED_APP rule 1 set connmark 1000 set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic selector BLOCKED_APP rule 1 app-detect app-id engine 128 set traffic selector BLOCKED_APP rule 1 app-detect state detected set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.208 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.208/0.208/0.208/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.702 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.702/0.702/0.702/0.000 ms
Note
The XML dictionary file uploaded to the DUT contains the application definitions and looks as follows.
Step 5: Run command file show running://webserver_dict.xml at DUT0 and expect this output:
Show output
<?xml version="1.0" encoding="UTF-8"?> <proxy_settings updated="10/12/25" version="2"> <provider engine_id="128" name="Teldat"> <app id="1" name="Web Server Test 1" version="1"> <fqdn_list> <fqdn>webserver.com</fqdn> </fqdn_list> </app> <app id="2" name="Web Server Test 2" version="1"> <address_list> <range id="1"> <net_address>10.215.168.1</net_address> <net_mask>255.255.255.0</net_mask> </range> </address_list> </app> </provider> </proxy_settings>
Note
Now an HTTP/s request is made to the webserver.com service.
Step 6: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 53 0 0 1830 0 --:--:-- --:--:-- --:--:-- 1892
Step 7: Run command file show running://index.html at DUT1 and check if output does not match the following regular expressions:
.*Access Denied.*Show output
<html><body><h1>Robot HTTPs server</h1></body></html>
Note
Note that the traffic is intercepted by the traffic-proxy but is not blocked.
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
intercepted\s+[1-9]\d*\s+[1-9]\d* blocked\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 12 2040 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 0 0 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 0 0 --------------------- Total 0 0
Note
Now it is important to enable the app-detect traffic policy so detected flows are marked and the traffic-proxy block rule is triggered.
Step 9: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 traffic policy in BLOCKED_APP priority very-high
Note
Now an HTTP/s request is made to the webserver.com service.
Step 10: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1410 100 1410 0 0 84965 0 --:--:-- --:--:-- --:--:-- 88125
Step 11: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.*Show output
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Access Denied</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; min-height: 100vh; display: flex; flex-direction: column; } .header { background-color: #2d3748; color: white; padding: 12px 24px; font-size: 18px; font-weight: 700; } .main { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 40px 20px; } h1 { font-size: 28px; font-weight: 400; color: #374151; } .footer { text-align: center; padding: 20px; color: #6b7280; font-size: 14px; } </style> </head> <body> <header class="header">OSDx</header> <main class="main"> <h1>Access Denied</h1> </main> <footer class="footer"> Blocked by OSDx </footer> </body> </html>
Note
Note that the traffic is intercepted and also blocked by the traffic-proxy.
Step 12: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 23 4028 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 9 1876 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 9 1876 --------------------- Total 9 1876
Step 13: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:09:12 UTC BLOCKED: https 192.168.1.2 52812 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:1000 emark1:0 emark2:3128 match:connmark match_value:1000
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.
Block By APP-Id Using VRF-Connmark
Description
This example demonstrates how to configure the
service traffic-proxy to block HTTPS traffic
using app-id detection combined with
vrf-connmark. A custom CLI dictionary is
configured to detect the SNI webserver.com as
app-id 1. The traffic selector matches any
custom app-id and the traffic policy sets
vrf-connmark for VRF LAN on detected
flows, which triggers the traffic-proxy block rule.
The test first verifies that traffic is not blocked
without the app-detect policy, then enables it and
confirms that traffic is blocked and the proxy stats
reflect the blocked connection.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in TPROXY priority high set interfaces ethernet eth1 vrf LAN set protocols static route 192.168.1.0/24 next-hop-vrf LAN set protocols vrf LAN static route 10.215.168.0/24 interface eth0 set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark vrf-mark LAN set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system conntrack app-detect dictionary 1 custom app-id 1 fqdn webserver.com set system conntrack app-detect http-host set system conntrack app-detect ssl-host set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN set traffic group port PORTS element 443 set traffic policy BLOCKED_APP rule 1 selector BLOCKED_APP set traffic policy BLOCKED_APP rule 1 set vrf-connmark LAN set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic selector BLOCKED_APP rule 1 app-detect app-id custom -1 set traffic selector BLOCKED_APP rule 1 app-detect state detected set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.303 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.303/0.303/0.303/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.694 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.694/0.694/0.694/0.000 ms
Note
Now an HTTP/s request is made to the webserver.com service.
Step 5: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 53 0 0 1991 0 --:--:-- --:--:-- --:--:-- 2038
Step 6: Run command file show running://index.html at DUT1 and check if output does not match the following regular expressions:
.*Access Denied.*Show output
<html><body><h1>Robot HTTPs server</h1></body></html>
Note
Note that the traffic is intercepted by the traffic-proxy but is not blocked.
Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
intercepted\s+[1-9]\d*\s+[1-9]\d* blocked\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 12 2040 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 0 0 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 0 0 --------------------- Total 0 0
Note
Now it is important to enable the app-detect traffic policy so detected flows are marked and the traffic-proxy block rule is triggered.
Step 8: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 traffic policy in BLOCKED_APP priority very-high
Note
Now an HTTP/s request is made to the webserver.com service.
Step 9: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1410 100 1410 0 0 102k 0 --:--:-- --:--:-- --:--:-- 98k
Step 10: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.*Show output
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Access Denied</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; min-height: 100vh; display: flex; flex-direction: column; } .header { background-color: #2d3748; color: white; padding: 12px 24px; font-size: 18px; font-weight: 700; } .main { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 40px 20px; } h1 { font-size: 28px; font-weight: 400; color: #374151; } .footer { text-align: center; padding: 20px; color: #6b7280; font-size: 14px; } </style> </head> <body> <header class="header">OSDx</header> <main class="main"> <h1>Access Denied</h1> </main> <footer class="footer"> Blocked by OSDx </footer> </body> </html>
Note
Note that the traffic is intercepted and also blocked by the traffic-proxy.
Step 11: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 23 4028 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 9 1876 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 9 1876 --------------------- Total 9 1876
Step 12: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:09:25 UTC BLOCKED: https 192.168.1.2 42264 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:2147484859 emark1:0 emark2:3128 match:connmark match_value:2147484859
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.