In certain circumstances, traffic analysis will report data that should be blocked by the L7 firewall. This occurs most often with encrypted P2P traffic. The rest of this article discusses how the L7 firewall operates and makes decisions about the observed traffic.
A flow is defined by the firewall as one connection socket. Each port used in communication with each source-destination pair is one socket. For example, 10.1.1.1 on port 234 communicating with 10.2.2.2 on port 432 is one socket.
The Layer 7 firewall performs blocking operations per data flow. The requirements for the firewall to make a blocking decision depends on the classification of the traffic.
For example, with Encrypted P2P traffic, the firewall will examine up to 200 packets in the upload direction of the flow before making its blocking decision and interrupting the flow. The size of these packets is not relevant, only the quantity. This means that, per flow, there could be 200 packets that are 150 bytes each, 20 maximum size packets, or something in between. If this traffic has been classified by the traffic analyzer, then it will appear in the traffic analytics as P2P traffic of the quantity transferred before the flow was blocked.
An example of this can be seen below:
This example shows Encrypted P2P traffic transferring 703 KB upstream across 24 flows. That works out to approximately 30 KB transferred upstream per flow, and fits with a large number of small packets. This P2P traffic is also asymmetric, so while the amount of data transferred in the upload direction per flow is fairly small, an average of nearly 35 times much data was downloaded per flow as was uploaded before the flow was blocked.
Though the L7 P2P rule is effective for blocking some P2P traffic, some additional considerations are necessary for comprehensive blocking of P2P and filesharing applications. Please refer to our documentation for additional information.
For additional information on the Layer 7 firewall and how it works: