Often rules involve session "meta-data" such as HTTP-Hostname or Protocol-Control-Signature. These meta-data tags are usually completed fairly quickly (first few packets) but they are usually not known until the first few packets. As such the session is evaluated initially and the next 9 packets. This is to ensure that all rules that involve meta-data have a chance to fire. After the first ten packets the meta-data typically does not change and the rules are no longer consulted.
Have more questions? Submit a request