Nexapp - Deep Packet Inspection (DPI) Filter

Deep Packet Inspection (DPI) Filter

Deep Packet Inspection (DPI) in NexappOS enables application-aware security by analyzing traffic beyond IP addresses and domains. This engine identifies protocols and applications in real time and allows administrators to block, allow, or prioritize flows per interface.

NexappOS uses a DPI agent powered by nDPI technology to classify network traffic. The agent detects applications and protocols, produces flow metadata (such as app name, category, and statistics), and makes this information available to the firewall engine for policy decisions.

How DPI works

DPI processing in NexappOS follows this workflow:

  1. Traffic classification
    The DPI agent inspects packets and identifies the application or protocol.

  2. Flow labeling
    A flow-actions component assigns labels to connections that match DPI signatures.

  3. Policy enforcement
    Firewall rules can then:

    • Block labeled traffic, or
    • Adjust priority by applying DSCP values for routing/QoS decisions.

Because policies are interface-based, NexappOS lets you apply different DPI rules depending on where traffic enters or exits the network.

Configuration

To create DPI rules:

  1. Go to Security → DPI Filter
  2. Select the network interface where the rule will apply
    (for example: LAN, Guest, or specific VLAN interfaces).
  3. Click Add DPI rule
  4. Choose what to control:
    • Applications
    • Application categories
    • Protocols
  5. Select the action
    • Block / Allow / Prioritize (depending on rule type)
  6. Save and apply

Application selection

By default, NexappOS shows a list of commonly used applications.
Use the search bar to find specific apps or categories. Search supports: - Application names (e.g., “YouTube”, “Zoom”) - Categories (e.g., “Social Media”, “Streaming”, “File Sharing”)

Premium Application Signatures

Subscription required

Without a subscription, NexappOS recognizes roughly 400 baseline applications.
With an active subscription, recognition expands to 2300+ applications, and the signature database updates daily, ensuring coverage of new and evolving services.

This extended library is recommended for production SD-WAN deployments where policy must remain accurate over time.

Applications & Protocols Reference

The complete catalog of supported applications and protocols is available in the NexappOS reference lists.

  • Applications list
  • Protocols list

(Use these references when designing DPI policies for enterprise environments.)

Exceptions (DPI Exclusion)

Some hosts must never be blocked — for example: - gateways - core infrastructure - monitoring systems

To exclude addresses from DPI enforcement:

  1. Open the Exceptions section
  2. Click Add exception
  3. Enter:
    • IPv4/IPv6 address, or
    • CIDR network (e.g., 192.168.10.0/24)
  4. Optionally add a description
  5. Save

Exceptions can be enabled/disabled individually as your policy evolves.

DPI Agent Interface Exclusion (CLI)

By default, the DPI agent monitors all interfaces.
If required, you can exclude specific interfaces via CLI. The exclusion list uses patterns (shell-style globs).

Add interfaces to exclusion list

Example: exclude eth1, all OpenVPN (tun*) and WireGuard (wg*) interfaces.

uci add_list netifyd.@netifyd[0].ns_exclude='eth1'
uci add_list netifyd.@netifyd[0].ns_exclude='tun*'
uci add_list netifyd.@netifyd[0].ns_exclude='wg*'
uci commit netifyd
echo '{"changes": {"network": {}}}' | /usr/libexec/rpcd/ns.commit call commit

Modify exclusion list

Example: remove eth1, exclude eth2 instead.

uci delete netifyd.@netifyd[0].ns_exclude='eth1'
uci add_list netifyd.@netifyd[0].ns_exclude='eth2'
uci commit netifyd
echo '{"changes": {"network": {}}}' | /usr/libexec/rpcd/ns.commit call commit

Clear exclusion list

uci delete netifyd.@netifyd[0].ns_exclude
uci commit netifyd
echo '{"changes": {"network": {}}}' | /usr/libexec/rpcd/ns.commit call commit

View current exclusion list

uci show netifyd.@netifyd[0].ns_exclude

Best Practices

  • Apply DPI per zone/interface to avoid unintended blocks.
  • Start with category blocking, then refine into app-level rules.
  • Combine DPI with InstaShield IP and InstaShield DNS for layered security.
  • Review logs after new rules to confirm behavior before full rollout.
Discard
Save
Draft
This page has been updated since your last edit. Your draft may contain outdated content. Load Latest Version

Previous Page

Left

Next Page

Right

On this page

Review Changes ← Back to Content
Message Status Space Raised By Last update on