VLAN 100: LAN side tagging
Client IP: 10.9.8.7
Proxy IP: 10.1.1.1
Proxy Filter Examples:
vlan 100 or ip host 10.9.8.7 - captures client to ProxySG requests, but no ProxySG responses
ip host 10.9.8.7 or vlan 100 - captures client requests and ProxySG responses
So why does the order matter? Once the VLAN token is present in the conversation, any subsequent filter(s) only applies to vlan packets.
vlan 100 or ip host 10.9.8.7 - captures all VLAN packets with VLAN ID equal to 100 or VLAN packets with IP equal to 10.9.8.7
ip host 10.9.8.7 or vlan 100 - captures all packets with IP equal to 10.9.8.7 or VLAN packets with VLAN ID equal to 100
With the filter (vlan 100 or ip host 10.9.8.7), client side traffic arriving at the ProxySG is VLAN-Tagged (VLAN 100) and hence will be captured with the first filter. Return packets from theProxySG are not tagged and thus not a VLAN packet so the second filter will not record it.
This is normal and the behaviour identical to TCPDump. In order to capture both client side requests and ProxySG responses, reorder the filter as such.
ip host 10.9.8.7 or vlan 100