Home > Security Appliances > Firewall and Traffic Shaping > Traffic Analytics and the Layer 7 Firewall

Traffic Analytics and the Layer 7 Firewall

In certain circumstances, traffic analysis will report data that should be blocked by the L7 firewall. This occurs most often with encrypted P2P traffic. The rest of this article discusses how the L7 firewall operates and makes decisions about the observed traffic.

What is a flow?

A flow is defined by the firewall as one connection socket. Each port used in communication with each source-destination pair is one socket. For example, 10.1.1.1 on port 234 communicating with 10.2.2.2 on port 432 is one socket.

What's involved in blocking a flow

The Layer 7 firewall performs blocking operations per data flow. The requirements for the firewall to make a blocking decision depends on the classification of the traffic.

For example, with Encrypted P2P traffic, the firewall will examine up to 200 packets in the upload direction of the flow before making its blocking decision and interrupting the flow. The size of these packets is not relevant, only the quantity. This means that, per flow, there could be 200 packets that are 150 bytes each, 20 maximum size packets, or something in between. If this traffic has been classified by the traffic analyzer, then it will appear in the traffic analytics as P2P traffic of the quantity transferred before the flow was blocked.

An example of this can be seen below:

 

This example shows Encrypted P2P traffic transferring 703 KB upstream across 24 flows. That works out to approximately 30 KB transferred upstream per flow, and fits with a large number of small packets. This P2P traffic is also asymmetric, so while the amount of data transferred in the upload direction per flow is fairly small, an average of nearly 35 times much data was downloaded per flow as was uploaded before the flow was blocked.

Blocking Peer-to-Peer (P2P) Traffic

Though the L7 P2P rule is effective for blocking some P2P traffic, some additional considerations are necessary for comprehensive blocking of P2P and filesharing applications. Please refer to our documentation for additional information.

You must to post a comment.
Last modified
11:18, 3 Feb 2015

Tags

This page has no custom tags.

Classifications

This page has no classifications.

Article ID

ID: 2351

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case