DPI works on connections traversing the firewall, ie going from a pc to the net.
When there is a proxy, there are two connections and none of them traverses the firewall:
- pc to nethserver
- nethserver to net
The rules are simple:
- want to block a web site (http)? Use the proxy
- want to block a protocol (torrent)? use the firewall
If you want to identify http traffic with DPI techniques you must “take it out” from the proxy. A common scenario is windows update, which is usually put on low priority. Configure as follows:
- add the list of windows update domains in Domains without proxy (use google to find the list)
- add a rule to set ndpi windowsupdate to low prio in firewall rules
This sentence should be slightly reworded to clarify the limitations.