Starting 21.2.3 the below is applicable for sdwan policy rules, with “deny” action
- The traffic will always be allowed until the application is identified, even if the match condition is based on “address-objects”, before a “deny” action is imposed
- In other words, if you use “sdwan policy” rules to deny traffic, the deny action will only be imposed post application identification (which can entails the forwarding of a few packets in both directions until the application is identified)
- Once the application is identified, an entry would be created in the application cache (refer documentation link below), which will enable the application to be identified based on the first packets for similar flows (application cache is maintained based on destination ip/port)
- This behavior becomes more relevant in case you want to block “proxy” traffic. We do not maintain an application cache for proxy traffic, hence each flow is subject to “application identification”, and hence “first packet” based deny is not possible for proxy traffic
