
[Modern firewalls](/security-next-generation-firewall) are able to perform deep packet inspection to determine the payload of the traffic at [Layer 7](/osi-model), thus identifying the specific application being employed.  However, protocols such as HTTPS complicate such filtering because the Layer 7 data is encrypted, making it difficult for firewalls to inspect beyond [IP addresses](/ipv4) and [port numbers](/transport-layer-port-number).

Several strategies exist to address this challenge.  Some of the most popular are described below:

## Man-in-the-Middle Proxy

This technique involves the firewall intercepting, decrypting, and re-encrypting HTTPS traffic, allowing access to the Uniform Resource Identifier (URI) for filtration. However, this method can introduce complexity, processing requirements, and issues with certificate authentication.

## Server Name Indication (SNI)

During the TLS handshake, the SNI field, which identifies the domain, can be leveraged by the firewall for domain-based access control. However, advancements in TLS, such as Encrypted Client Hello (ECH), obscure the SNI, reducing its reliability as a filtering tool.

Firewall Filtering HTTPS Traffic

EIGRP what happens when a feasible successor fails

EIGRP

EPC - Cisco Embedded Packet Capture

EVE-NG supported Cisco and other vendor images

Enterprise vs Consumer Network Connection Pricing Factors

Equal-cost Multi-path routing

EtherChannel - Converting an L2 EtherChannel to L3

EtherChannel - LACP System ID

EtherChannel - LACP fast-switchover

EtherChannel - Load Balancing on CatOS

EtherChannel - Load balancing algorithm applied globally and per portchannel

EtherChannel - Maximum Number of Physical Links

EtherChannel - PAgP timer, hello interval, and age value

EtherChannel - Troubleshooting on Cisco IOS Switches

EtherChannel - Understanding LACP port and system priorities

EtherChannel - applying configurations to the interface

EtherChannel - implementing over 802.1Q tunneling

EtherChannel - load balancing algorithms

EtherChannel - max-bundle

EtherChannel - prerequisites for bundling

EtherChannel Operational Members

EtherChannel

Ethernet - Pause Frames

Ethernet - role of FCS field

Ethernet - speed and duplex mismatches

Ethernet - speed and duplex settings on an ISR4431

Ethernet CSMA-CD

Ethernet VPN (EVPN)

Ethernet administrative and operational encapsulation

Ethernet administrative operational mode

Ethernet frame types

Ethernet header

Ethernet over IP (EoIP)

Ethernet

FHRP - Comparison Table

FHRP - HSRP Resign Message

FHRP - interaction with routing protocols

FHRP - which ports should you configure

FHRP Communication Between Redundant Routers

FHRP Hardware Limitations

FHRP Load Balancing Behavior

FHRP Protocols

FHRP communication path of keepalives

Fiber optic types

Fiber optics - Multi mode fiber optics characteristics

Fiber optics - Single mode fiber optics characteristics

Fiber optics - color coding

Fiber optics - connectors

FlexVPN Hub and Spoke backup routes

FlexVPN redundant hub with dual cloud

FlexVPN spoke to spoke communication fails with IPSec tunnel

FlexVPN

Frame Relay - is it a relevant technology anymore

Frame-Relay - emulating a Frame-Relay switch

Frame-Relay DLCI values

GLBP TLVs and Priority Values

GNS3 how to obtain Cisco IOS images

GRE - Keepalives and VRF-aware tunnels

GRE - Recursive routing error - AD solution

GRE - Recursive routing error - filtering solution

GRE - Recursive routing error

GRE - Understanding how keepalives work

GRE MTU settings

GRE Tunnel Addressing

GRE and IPSec

GRE tunnel and multicast

GRE tunnel key operation with only one tunnel key configured

GRE tunnels and how they transmit multicast packets

Gateway Load Balancing Protocol (GLBP)

Guestshell as an SD-WAN Onboarding Certificate Workaround

Guestshell

HSRP - Deployment in Distribution Layer

HSRP - standby group numbers

HSRP Message Op Codes

HSRP Message Parameters

HTTP - viewing HTTP messages in Wireshark

Hardware - Application Specific Integrated Circuit (ASIC)

Hardware - Layer-3-aware ASIC and IGMP snooping

High-Level Data Link Control (HDLC)

Higher Bandwidth Doesn't Always Mean Faster Speeds

Home lab computer requirements

Hot Standby Router Protocol (HSRP)

How to learn Python for networking

How to practice labbing - best practices

How to prepare for Cisco DNA

IANA

ICANN

ICMP - Mitigating Vulnerabilities

ICMP - Vulnerabilities

ICMP - response to a ping that is blocked by an ACL

ICMP DF-bit in Echo Request and Reply

ICMP Echo Request and Reply Size

ICMP codes and types

ICMP

IEEE

IETF

IGMP - Snooping Querier Election