Firewall
This scenario shows how to configure the traffic-proxy service
to block HTTPS traffic based on firewall rules. Different
match types (connmark, extra-connmark 1 and vrf-connmark) are used to classify
and block firewall-matched flows.
Block By Firewall Using Connmark
Description
This example demonstrates how to configure the
service traffic-proxy to block HTTPS traffic
using firewall rules combined with connmark.
A firewall ruleset block.rules is loaded to
detect and drop TLS traffic matching a specific SNI.
The firewall bypass action sets connmark mark 1000
on blocked flows, which triggers the traffic-proxy
block rule. The test first verifies that traffic is
not blocked without the firewall policy, then enables
it and confirms that traffic is blocked, the firewall
log shows the drop, and the proxy stats reflect the
blocked connection.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in TPROXY priority high set service firewall FWL bypass action block set connmark mark 1000 set service firewall FWL logging outputs fast set service firewall FWL mode inline queue Q set service firewall FWL ruleset file 'running://block.rules' set service firewall FWL tls-detection detection-ports 443 set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark mark 1000 set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group port PORTS element 443 set traffic policy HTTPS_FIREWALL rule 1 action enqueue Q set traffic policy HTTPS_FIREWALL rule 1 selector HTTPS_FIREWALL set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic queue Q elements 0 set traffic selector HTTPS_FIREWALL rule 1 destination port-group PORTS set traffic selector HTTPS_FIREWALL rule 1 not connmark 1000 set traffic selector HTTPS_FIREWALL rule 1 protocol tcp set traffic selector HTTPS_FIREWALL rule 2 not connmark 1000 set traffic selector HTTPS_FIREWALL rule 2 protocol tcp set traffic selector HTTPS_FIREWALL rule 2 source port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.630 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.630/0.630/0.630/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.310 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.310/0.310/0.310/0.000 ms
Note
The file containing the firewall rules for blocking traffic looks as follows.
Step 5: Run command file show running://block.rules at DUT0 and expect this output:
Show output
drop tls any any -> any any (msg:"Blocked traffic to webserver.com"; block; tls.sni; content:"webserver.com"; sid:1; rev:1;)
Note
Now an HTTP/s request is made to the webserver.com service.
Step 6: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 53 0 0 2208 0 --:--:-- --:--:-- --:--:-- 2304
Step 7: Run command file show running://index.html at DUT1 and check if output does not match the following regular expressions:
.*Access Denied.*Show output
<html><body><h1>Robot HTTPs server</h1></body></html>
Note
Note that the traffic is intercepted by the traffic-proxy but is not blocked.
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
intercepted\s+[1-9]\d*\s+[1-9]\d* blocked\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 11 1988 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 0 0 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 0 0 --------------------- Total 0 0
Step 9: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 traffic policy in HTTPS_FIREWALL priority very-high set interfaces ethernet eth1 traffic policy out HTTPS_FIREWALL priority very-high
Note
Now an HTTP/s request is made to the webserver.com service.
Step 10: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1410 100 1410 0 0 94396 0 --:--:-- --:--:-- --:--:-- 98k
Step 11: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.*Show output
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Access Denied</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; min-height: 100vh; display: flex; flex-direction: column; } .header { background-color: #2d3748; color: white; padding: 12px 24px; font-size: 18px; font-weight: 700; } .main { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 40px 20px; } h1 { font-size: 28px; font-weight: 400; color: #374151; } .footer { text-align: center; padding: 20px; color: #6b7280; font-size: 14px; } </style> </head> <body> <header class="header">OSDx</header> <main class="main"> <h1>Access Denied</h1> </main> <footer class="footer"> Blocked by OSDx </footer> </body> </html>
Step 12: Run command service firewall FWL show logging fast | tail at DUT0 and check if output matches the following regular expressions:
.*\[Drop\].*\[Block\].*\[\*\*\].*webserver\.com.*Show output
03/05/2026-20:08:09.274757 [Drop] [Block] [**] [1:1:1] Blocked traffic to webserver.com [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:39724 -> 10.215.168.1:443
Note
As you can see in the firewall logs, the traffic has been matched and marked. The firewall marks those flows but still allows them to pass through, enabling the traffic-proxy to serve the block pages.
Note
Note that the traffic is intercepted and also blocked by the traffic-proxy.
Step 13: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 22 3976 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 9 1876 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 9 1876 --------------------- Total 9 1876
Step 14: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:08:09 UTC BLOCKED: https 192.168.1.2 39724 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:1000 emark1:0 emark2:3128 match:connmark match_value:1000
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.
Block By Firewall Using Extra-Connmark 1
Description
This example demonstrates how to configure the
service traffic-proxy to block HTTPS traffic
using firewall rules combined with
extra-connmark 1. A firewall ruleset
block.rules is loaded to detect and drop TLS
traffic matching a specific SNI. The firewall bypass
action sets extra-connmark 1 value 1000 on
blocked flows, which triggers the traffic-proxy
block rule. The test first verifies that traffic is
not blocked without the firewall policy, then enables
it and confirms that traffic is blocked, the firewall
log shows the drop, and the proxy stats reflect the
blocked connection.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in TPROXY priority high set service firewall FWL bypass action block set connmark extra-mark 1 value 1000 set service firewall FWL logging outputs fast set service firewall FWL mode inline queue Q set service firewall FWL ruleset file 'running://block.rules' set service firewall FWL tls-detection detection-ports 443 set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark extra-mark 1 value 1000 set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic group port PORTS element 443 set traffic policy HTTPS_FIREWALL rule 1 action enqueue Q set traffic policy HTTPS_FIREWALL rule 1 selector HTTPS_FIREWALL set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic queue Q elements 0 set traffic selector HTTPS_FIREWALL rule 1 destination port-group PORTS set traffic selector HTTPS_FIREWALL rule 1 not extra-connmark 1 value 1000 set traffic selector HTTPS_FIREWALL rule 1 protocol tcp set traffic selector HTTPS_FIREWALL rule 2 not extra-connmark 1 value 1000 set traffic selector HTTPS_FIREWALL rule 2 protocol tcp set traffic selector HTTPS_FIREWALL rule 2 source port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.627 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.627/0.627/0.627/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.624 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.624/0.624/0.624/0.000 ms
Note
The file containing the firewall rules for blocking traffic looks as follows.
Step 5: Run command file show running://block.rules at DUT0 and expect this output:
Show output
drop tls any any -> any any (msg:"Blocked traffic to webserver.com"; block; tls.sni; content:"webserver.com"; sid:1; rev:1;)
Note
Now an HTTP/s request is made to the webserver.com service.
Step 6: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 53 0 0 1852 0 --:--:-- --:--:-- --:--:-- 1892
Step 7: Run command file show running://index.html at DUT1 and check if output does not match the following regular expressions:
.*Access Denied.*Show output
<html><body><h1>Robot HTTPs server</h1></body></html>
Note
Note that the traffic is intercepted by the traffic-proxy but is not blocked.
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
intercepted\s+[1-9]\d*\s+[1-9]\d* blocked\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 11 1988 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 0 0 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 0 0 --------------------- Total 0 0
Step 9: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 traffic policy in HTTPS_FIREWALL priority very-high set interfaces ethernet eth1 traffic policy out HTTPS_FIREWALL priority very-high
Note
Now an HTTP/s request is made to the webserver.com service.
Step 10: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1410 100 1410 0 0 53755 0 --:--:-- --:--:-- --:--:-- 54230
Step 11: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.*Show output
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Access Denied</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; min-height: 100vh; display: flex; flex-direction: column; } .header { background-color: #2d3748; color: white; padding: 12px 24px; font-size: 18px; font-weight: 700; } .main { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 40px 20px; } h1 { font-size: 28px; font-weight: 400; color: #374151; } .footer { text-align: center; padding: 20px; color: #6b7280; font-size: 14px; } </style> </head> <body> <header class="header">OSDx</header> <main class="main"> <h1>Access Denied</h1> </main> <footer class="footer"> Blocked by OSDx </footer> </body> </html>
Step 12: Run command service firewall FWL show logging fast | tail at DUT0 and check if output matches the following regular expressions:
.*\[Drop\].*\[Block\].*\[\*\*\].*webserver\.com.*Show output
03/05/2026-20:08:25.531914 [Drop] [Block] [**] [1:1:1] Blocked traffic to webserver.com [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:59408 -> 10.215.168.1:443
Note
As you can see in the firewall logs, the traffic has been matched and marked. The firewall marks those flows but still allows them to pass through, enabling the traffic-proxy to serve the block pages.
Note
Note that the traffic is intercepted and also blocked by the traffic-proxy.
Step 13: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 22 3976 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 9 1876 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 9 1876 --------------------- Total 9 1876
Step 14: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:extra-mark1.*Show output
2026-03-05 20:08:25 UTC BLOCKED: https 192.168.1.2 59408 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:0 emark1:1000 emark2:3128 match:extra-mark1 match_value:1000
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.
Block By Firewall Using VRF-Mark
Description
This example demonstrates how to configure the
service traffic-proxy to block HTTPS traffic
using firewall rules combined with
vrf-connmark. A firewall ruleset
block.rules is loaded to detect and drop TLS
traffic matching a specific SNI. The firewall bypass
action sets vrf-connmark for VRF LAN
on blocked flows, which triggers the traffic-proxy
block rule. The test first verifies that traffic is
not blocked without the firewall policy, then enables
it and confirms that traffic is blocked, the firewall
log shows the drop, and the proxy stats reflect the
blocked connection.
Scenario
Step 1: Set the following configuration in DUT0 :
set interfaces ethernet eth0 address 10.215.168.64/24 set interfaces ethernet eth0 traffic nat source rule 1 address masquerade set interfaces ethernet eth1 address 192.168.1.1/24 set interfaces ethernet eth1 traffic policy in TPROXY priority high set interfaces ethernet eth1 vrf LAN set protocols static route 192.168.1.0/24 next-hop-vrf LAN set protocols vrf LAN static route 10.215.168.0/24 interface eth0 set service firewall FWL bypass action block set connmark vrf-mark LAN set service firewall FWL logging outputs fast set service firewall FWL mode inline queue Q set service firewall FWL ruleset file 'running://block.rules' set service firewall FWL tls-detection detection-ports 443 set service traffic-proxy TRAFFIC_PROXY block rule 1 connmark vrf-mark LAN set service traffic-proxy TRAFFIC_PROXY logging connection set service traffic-proxy TRAFFIC_PROXY mode https set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set system vrf LAN set traffic group port PORTS element 443 set traffic policy HTTPS_FIREWALL rule 1 action enqueue Q set traffic policy HTTPS_FIREWALL rule 1 selector HTTPS_FIREWALL set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector HTTPS_TRAFFIC set traffic queue Q elements 0 set traffic selector HTTPS_FIREWALL rule 1 destination port-group PORTS set traffic selector HTTPS_FIREWALL rule 1 not vrf-connmark LAN set traffic selector HTTPS_FIREWALL rule 1 protocol tcp set traffic selector HTTPS_FIREWALL rule 2 not vrf-connmark LAN set traffic selector HTTPS_FIREWALL rule 2 protocol tcp set traffic selector HTTPS_FIREWALL rule 2 source port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 destination port-group PORTS set traffic selector HTTPS_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1 :
set interfaces ethernet eth0 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set service dns static host-name webserver.com inet 10.215.168.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Ping IP address 10.215.168.1 from DUT0:
admin@DUT0$ ping 10.215.168.1 count 1 size 56 timeout 1Show output
PING 10.215.168.1 (10.215.168.1) 56(84) bytes of data. 64 bytes from 10.215.168.1: icmp_seq=1 ttl=64 time=0.373 ms --- 10.215.168.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.373/0.373/0.373/0.000 ms
Step 4: Ping IP address 192.168.1.1 from DUT1:
admin@DUT1$ ping 192.168.1.1 count 1 size 56 timeout 1Show output
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data. 64 bytes from 192.168.1.1: icmp_seq=1 ttl=64 time=0.659 ms --- 192.168.1.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.659/0.659/0.659/0.000 ms
Note
The file containing the firewall rules for blocking traffic looks as follows.
Step 5: Run command file show running://block.rules at DUT0 and expect this output:
Show output
drop tls any any -> any any (msg:"Blocked traffic to webserver.com"; block; tls.sni; content:"webserver.com"; sid:1; rev:1;)
Note
Now an HTTP/s request is made to the webserver.com service.
Step 6: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 53 100 53 0 0 1725 0 --:--:-- --:--:-- --:--:-- 1766
Step 7: Run command file show running://index.html at DUT1 and check if output does not match the following regular expressions:
.*Access Denied.*Show output
<html><body><h1>Robot HTTPs server</h1></body></html>
Note
Note that the traffic is intercepted by the traffic-proxy but is not blocked.
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
intercepted\s+[1-9]\d*\s+[1-9]\d* blocked\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 11 1988 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 0 0 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 0 0 --------------------- Total 0 0
Step 9: Modify the following configuration lines in DUT0 :
set interfaces ethernet eth1 traffic policy in HTTPS_FIREWALL priority very-high set interfaces ethernet eth1 traffic policy out HTTPS_FIREWALL priority very-high
Note
Now an HTTP/s request is made to the webserver.com service.
Step 10: Run command file copy https://webserver.com/ running://index.html force at DUT1 and expect this output:
Show output
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1410 100 1410 0 0 74128 0 --:--:-- --:--:-- --:--:-- 78333
Step 11: Run command file show running://index.html at DUT1 and check if output matches the following regular expressions:
.*Access Denied.*Show output
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Access Denied</title> <style> * { margin: 0; padding: 0; box-sizing: border-box; } body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background-color: #f5f5f5; min-height: 100vh; display: flex; flex-direction: column; } .header { background-color: #2d3748; color: white; padding: 12px 24px; font-size: 18px; font-weight: 700; } .main { flex: 1; display: flex; flex-direction: column; align-items: center; justify-content: center; padding: 40px 20px; } h1 { font-size: 28px; font-weight: 400; color: #374151; } .footer { text-align: center; padding: 20px; color: #6b7280; font-size: 14px; } </style> </head> <body> <header class="header">OSDx</header> <main class="main"> <h1>Access Denied</h1> </main> <footer class="footer"> Blocked by OSDx </footer> </body> </html>
Step 12: Run command service firewall FWL show logging fast | tail at DUT0 and check if output matches the following regular expressions:
.*\[Drop\].*\[Block\].*\[\*\*\].*webserver\.com.*Show output
03/05/2026-20:08:44.060982 [Drop] [Block] [**] [1:1:1] Blocked traffic to webserver.com [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:36442 -> 10.215.168.1:443
Note
As you can see in the firewall logs, the traffic has been matched and marked. The firewall marks those flows but still allows them to pass through, enabling the traffic-proxy to serve the block pages.
Note
Note that the traffic is intercepted and also blocked by the traffic-proxy.
Step 13: Run command service traffic-proxy TRAFFIC_PROXY show stats detailed at DUT0 and check if output matches the following regular expressions:
blocked\s+[1-9]\d*\s+[1-9]\d*Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- intercepted 22 3976 queue - orig 0 0 queue - reply 0 0 error 0 0 blocked 9 1876 Blocking statistics for instance "TRAFFIC_PROXY": --------------------- rule packets bytes --------------------- 1 9 1876 --------------------- Total 9 1876
Step 14: Run command service traffic-proxy TRAFFIC_PROXY show connections blocked at DUT0 and check if output matches the following regular expressions:
.*BLOCKED.*match:connmark.*Show output
2026-03-05 20:08:44 UTC BLOCKED: https 192.168.1.2 36442 10.215.168.1 443 webserver.com GET / sni:webserver.com mark:2147484858 emark1:0 emark2:3128 match:connmark match_value:2147484858
Note
As you can see, the traffic-proxy correctly identifies the blocked flows.