Home > General Administration > Cross-Platform Content > Traffic Analytics and the Layer 7 Firewall

Traffic Analytics and the Layer 7 Firewall

In certain circumstances, traffic analysis will report data that should be blocked by the L7 firewall. This occurs most often with encrypted P2P traffic. The rest of this article discusses how the L7 firewall operates and makes decisions about the observed traffic.

What is a flow?

A flow is defined by the firewall as one connection socket. Each port used in communication with each source-destination pair is one socket. For example, on port 234 communicating with on port 432 is one socket.

What's involved in blocking a flow

The Layer 7 firewall performs blocking operations per data flow. The requirements for the firewall to make a blocking decision depends on the classification of the traffic.

For example, with Encrypted P2P traffic, the firewall will examine up to 200 packets in the upload direction of the flow before making its blocking decision and interrupting the flow. The size of these packets is not relevant, only the quantity. This means that, per flow, there could be 200 packets that are 150 bytes each, 20 maximum size packets, or something in between. If this traffic has been classified by the traffic analyzer, then it will appear in the traffic analytics as P2P traffic of the quantity transferred before the flow was blocked.

An example of this can be seen below:


This example shows Encrypted P2P traffic transferring 703 KB upstream across 24 flows. That works out to approximately 30 KB transferred upstream per flow, and fits with a large number of small packets. This P2P traffic is also asymmetric, so while the amount of data transferred in the upload direction per flow is fairly small, an average of nearly 35 times much data was downloaded per flow as was uploaded before the flow was blocked.

Blocking Peer-to-Peer (P2P) Traffic

Though the L7 P2P rule is effective for blocking some P2P traffic, some additional considerations are necessary for comprehensive blocking of P2P and filesharing applications. Please refer to our documentation for additional information.

Last modified



This page has no classifications.

Explore the Product

Click to Learn More

Article ID

ID: 1970

Explore Meraki

You can find out more about Cisco Meraki on our main site, including information on products, contacting sales and finding a vendor.

Explore Meraki

Contact Support

Most questions can be answered by reviewing our documentation, but if you need more help, Cisco Meraki Support is ready to work with you.

Open a Case

Ask the Community

In the Meraki Community, you can keep track of the latest announcements, find answers provided by fellow Meraki users and ask questions of your own.

Visit the Community