Often rules involve session "meta-data" such as HTTP-Hostname or Protocol-Control-Signature. These meta-data tags are usually completed fairly quickly (first few packets) but they are usually not known until after the first few packets have been processed. As such the session is evaluated on the initial and next 9 packets. This is to ensure that all rules that involve meta-data have a chance to fire. After the first ten packets the meta-data typically does not change and the rules are no longer consulted.
Have more questions? Submit a request