...
| Note |
|---|
The L7 matcher is very resource-intensive. Use this feature only for very specific traffic. It is not recommended to use the L7 matcher for generic traffic, such as for blocking webpagesweb pages. This will almost never work correctly and your device will exhaust its resources, trying to catch all the traffic. Use other features to block webpages by URL. |
...
An additional requirement is that the layer7 matcher must see both directions of traffic (incoming and outgoing). To satisfy this requirement l7 rules should be set in the forward chain. If the rule is set in the input/prerouting chain then the same rule must be also set in the output/postrouting chain, otherwise, the collected data may not be complete resulting in an incorrectly matched pattern.
...
Note that we need both directions that which is why we need also the l7 rule in the output chain that sees outgoing packets.
...
| Note |
|---|
When a user is logged in youtube YouTube will use HTTPS, meaning that L7 will not be able to match this traffic. Only unencrypted HTTP can be matched. |
...