Basic
This scenario shows how to configure the traffic-proxy service to serve html pages for blocked traffic, this section shows how to customize block template pages.
Basic HTTPS Block
Description
This example demonstrates how to configure the
service traffic-proxy to block HTTPS traffic based
on a connmark match. First, a block rule is configured
without a traffic policy marking packets, so traffic
should not be blocked. Then, a traffic policy is applied
to mark flows with connmark 1000, which triggers
the block rule and serves the default OSDx block page.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in TPROXY priority high set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark mark 1000 set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group port PORTS element 443 set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.270 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.270/0.270/0.270/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.653 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.653/0.653/0.653/0.000 ms
Note
Now an HTTP/s request is made to the webserver.com service.
Step 5: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 53 0 0 2323 0 --:--:-- --:--:-- --:--:-- 2409
Step 6: Run command file show running://index.html at DUT1 and check if output does not match the following regular expressions:
.*Access Denied.*Show output
<html><body><h1>Robot HTTPs server</h1></body></html>
Note
Note that the traffic is intercepted by the traffic-proxy but is not blocked.
Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
intercepted\s+[1-9]\d*\s+[1-9]\d* blocked\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 12 2040 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 0 0 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 0 0 --------------------- Total 0 0
Note
Now it is important to enable the traffic policy to mark all incoming traffic so the block page is served.
Step 8: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 traffic policy in BLOCK priority very-high set traffic policy BLOCK rule 1 selector HTTPS_TRAFFIC set traffic policy BLOCK rule 1 set connmark 1000
Note
Now an HTTP/s request is made to the webserver.com service.
Step 9: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1410 100 1410 0 0 117k 0 --:--:-- --:--:-- --:--:-- 125k
Step 10: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.*Show output
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Access Denied</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; min-height: 100vh; display: flex; flex-direction: column; } .header { background-color: #2d3748; color: white; padding: 12px 24px; font-size: 18px; font-weight: 700; } .main { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 40px 20px; } h1 { font-size: 28px; font-weight: 400; color: #374151; } .footer { text-align: center; padding: 20px; color: #6b7280; font-size: 14px; } </style> </head> <body> <header class="header">OSDx</header> <main class="main"> <h1>Access Denied</h1> </main> <footer class="footer"> Blocked by OSDx </footer> </body> </html>
Note
Note that the traffic is intercepted and also blocked by the traffic-proxy.
Step 11: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 23 4028 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 11 1988 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 11 1988 --------------------- Total 11 1988
Step 12: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:07:17 UTC BLOCKED: https 192.168.1.2 48276 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:1000 emark1:0 emark2:3128 match:connmark match_value:1000
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.
Basic HTTP Block
Description
This example demonstrates how to configure the
service traffic-proxy to block HTTP traffic based
on a connmark match. First, a block rule is configured
without a traffic policy marking packets, so traffic
should not be blocked. Then, a traffic policy is applied
to mark flows with connmark 1000, which triggers
the block rule and serves the default OSDx block page.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in TPROXY priority high set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark mark 1000 set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode http set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group port PORTS element 80 set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.393 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.393/0.393/0.393/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.553 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.553/0.553/0.553/0.000 ms
Note
Now an HTTP/s request is made to the webserver.com service.
Step 5: Run command file copy http://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 52 100 52 0 0 7963 0 --:--:-- --:--:-- --:--:-- 8666
Step 6: Run command file show running://index.html at DUT1 and check if output does not match the following regular expressions:
.*Access Denied.*Show output
<html><body><h1>Robot HTTP server</h1></body></html>
Note
Note that the traffic is intercepted by the traffic-proxy but is not blocked.
Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
intercepted\s+[1-9]\d*\s+[1-9]\d* blocked\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 5 516 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 0 0 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 0 0 --------------------- Total 0 0
Note
Now it is important to enable the traffic policy to mark all incoming traffic so the block page is served.
Step 8: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 traffic policy in BLOCK priority very-high set traffic policy BLOCK rule 1 selector HTTPS_TRAFFIC set traffic policy BLOCK rule 1 set connmark 1000
Note
Now an HTTP/s request is made to the webserver.com service.
Step 9: Run command file copy http://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1410 100 1410 0 0 367k 0 --:--:-- --:--:-- --:--:-- 458k
Step 10: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.*Show output
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Access Denied</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; min-height: 100vh; display: flex; flex-direction: column; } .header { background-color: #2d3748; color: white; padding: 12px 24px; font-size: 18px; font-weight: 700; } .main { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 40px 20px; } h1 { font-size: 28px; font-weight: 400; color: #374151; } .footer { text-align: center; padding: 20px; color: #6b7280; font-size: 14px; } </style> </head> <body> <header class="header">OSDx</header> <main class="main"> <h1>Access Denied</h1> </main> <footer class="footer"> Blocked by OSDx </footer> </body> </html>
Note
Note that the traffic is intercepted and also blocked by the traffic-proxy.
Step 11: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 10 1032 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 5 516 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 5 516 --------------------- Total 5 516
Step 12: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:07:29 UTC BLOCKED: http 192.168.1.2 34846 10.215.168.1 80 webserver.com GET / sni:- mark:1000 emark1:0 emark2:3128 match:connmark match_value:1000
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.
Customize Default Block Page
Description
This example demonstrates how to replace the default
block page with a custom HTML template. The template
file customized_block_template.html is uploaded to the DUT and
configured via block template file. A template
variable REASON is defined with a default value
that is rendered in the blocked response. The test
verifies that the custom page is served with the
expected content when traffic is blocked.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in BLOCK priority very-high set interfaces ethernet eth1 traffic policy in TPROXY priority high set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark mark 1000 set service traffic-proxy TRAFFIC_PROXY block template file 'running://customized_block_template.html' set service traffic-proxy TRAFFIC_PROXY block template variable REASON value 'DEFAULT BLOCK' set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group port PORTS element 443 set traffic policy BLOCK rule 1 selector HTTPS_TRAFFIC set traffic policy BLOCK rule 1 set connmark 1000 set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.226 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.226/0.226/0.226/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.672 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.672/0.672/0.672/0.000 ms
Note
Now an HTTP/s request is made to the webserver.com service.
Step 5: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 54 100 54 0 0 2548 0 --:--:-- --:--:-- --:--:-- 2571
Step 6: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.* .*DEFAULT BLOCK.*Show output
<html><body>Access Denied DEFAULT BLOCK</body></html>
Note
As you can see, the block template has been replaced and
the REASON placeholder has been correctly substituted
with the default variable value.
Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 11 1988 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 11 1988 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 11 1988 --------------------- Total 11 1988
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:07:41 UTC BLOCKED: https 192.168.1.2 54824 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:1000 emark1:0 emark2:3128 match:connmark match_value:1000
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.
Customize Block Page Based On Matching rule
Description
This example demonstrates how to override template
variables on a per-rule basis. A default REASON
value is set at the template level, but the block
rule overrides it with a specific value using
block rule 1 set variable. The test verifies
that the rule-level value takes precedence over the
default template variable in the blocked response.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in BLOCK priority very-high set interfaces ethernet eth1 traffic policy in TPROXY priority high set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark mark 1000 set service traffic-proxy TRAFFIC_PROXY block rule 1 set variable REASON value 'BLOCK BY FIREWALL' set service traffic-proxy TRAFFIC_PROXY block template file 'running://customized_block_template.html' set service traffic-proxy TRAFFIC_PROXY block template variable REASON value 'DEFAULT BLOCK' set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group port PORTS element 443 set traffic policy BLOCK rule 1 selector HTTPS_TRAFFIC set traffic policy BLOCK rule 1 set connmark 1000 set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.681 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.681/0.681/0.681/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.631 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.631/0.631/0.631/0.000 ms
Note
Now an HTTP/s request is made to the webserver.com service.
Step 5: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 58 100 58 0 0 2531 0 --:--:-- --:--:-- --:--:-- 2636
Step 6: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.* .*BLOCK BY FIREWALL.*Show output
<html><body>Access Denied BLOCK BY FIREWALL</body></html>
Note
As you can see, the block template has been replaced and
the REASON placeholder has been correctly substituted
with the value defined in the matching rule.
Step 7: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 11 1988 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 11 1988 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 11 1988 --------------------- Total 11 1988
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:07:53 UTC BLOCKED: https 192.168.1.2 51198 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:1000 emark1:0 emark2:3128 match:connmark match_value:1000
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.