diff --git a/bin/tsg_log_field.conf b/bin/tsg_log_field.conf
index 574e7d9..3a5b7f8 100644
--- a/bin/tsg_log_field.conf
+++ b/bin/tsg_log_field.conf
@@ -117,7 +117,8 @@ STRING		http_response_body	104
 STRING		mail_eml_file	105
 LONG		common_vsys_id	106
 STRING		dtls_sni	107
-STRING  		common_tunnel_endpoint_a_desc   108
-STRING  		common_tunnel_endpoint_b_desc   109
-LONG			common_t_vsys_id		110
-STRING		common_app_full_path	111
\ No newline at end of file
+STRING  	common_tunnel_endpoint_a_desc   108
+STRING  	common_tunnel_endpoint_b_desc   109
+LONG		common_t_vsys_id		110
+STRING		common_app_full_path	111
+LONG		common_flags		112
diff --git a/bin/tsg_static_tableinfo.conf b/bin/tsg_static_tableinfo.conf
index 4c0371d..d76ed27 100644
--- a/bin/tsg_static_tableinfo.conf
+++ b/bin/tsg_static_tableinfo.conf
@@ -89,3 +89,5 @@
 77	TSG_TUNNEL_ENDPOINT	ip_plugin	{"row_id":1,"ip_type":2,"start_ip":3,"end_ip":4,"valid":6,"estimate_size":4194304}
 78	TSG_TUNNEL_LABEL	plugin	{"key":2,"valid":3}	--
 79	TSG_SECURITY_TUNNEL	virtual	TSG_OBJ_TUNNEL_ID	--
+80 	TSG_OBJ_FLAG	flag	--
+81  	TSG_SECURITY_FLAG	virtual		TSG_OBJ_FLAG	--
\ No newline at end of file
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index 131175d..a34f93e 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -686,6 +686,9 @@ static int master_send_log(const struct streaminfo *a_stream, struct Maat_rule_t
 		TLD_append(TLD_handle, schema_field_name, (void *)g_tsg_proto_name2id[PROTO_APP].name, TLD_TYPE_STRING);
 	}
 
+	char *flags_field_name=log_field_id2name(g_tsg_log_instance, LOG_COMMON_FLAGS);
+	TLD_append(TLD_handle, flags_field_name, (void *)context->session_flag, TLD_TYPE_LONG);
+
 	if(context!=NULL && context->hited_app_id>0)
 	{
 		char app_label_name[512]={0};
@@ -1892,6 +1895,32 @@ static int app_identify_result_cb(const struct streaminfo *a_stream, int bridge_
 	return 0;
 }
 
+static int session_flags_identify_result_cb(const struct streaminfo *a_stream, int bridge_id, void *data)
+{
+	if(data==NULL)
+	{
+		return 0;
+	}
+
+	struct master_context *context=NULL;	
+	struct Maat_rule_t scan_result[MAX_RESULT_NUM]={0};
+
+	context=(struct master_context *)get_struct_project(a_stream, g_tsg_para.context_project_id);
+	if(context==NULL)
+	{
+		init_context((void **)(&context), a_stream->threadnum);
+		set_struct_project(a_stream, g_tsg_para.context_project_id, (void *)context);
+	}
+
+	context->session_flag=*(unsigned long *)(data);
+
+	int hit_num=tsg_scan_session_flags(g_tsg_maat_feather, a_stream, scan_result, MAX_RESULT_NUM, &context->mid, g_tsg_para.table_id[TABLE_SESSION_FLAGS], context->session_flag, a_stream->threadnum);
+
+	master_deal_scan_result(a_stream, context, scan_result, hit_num, NULL);
+
+	return 0;
+}
+
 
 static int deal_pending_state(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int result_num, void *a_packet)
 {
@@ -2010,6 +2039,7 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
 		
 			if(is_hited_allow(context->result, context->hit_cnt))
 			{
+				state=APP_STATE_KILL_OTHER|APP_STATE_GIVEME;
 				break;
 			}
 			
@@ -2037,6 +2067,19 @@ static unsigned char tsg_master_data_entry(const struct streaminfo *a_stream, vo
 				hit_num+=scan_application_id_and_properties(a_stream, scan_result+hit_num, MAX_RESULT_NUM-hit_num, context, &(gather_result[i]), thread_seq);
 			}
 
+			if(context->session_flag>0)
+			{
+				hit_num+=tsg_scan_session_flags(g_tsg_maat_feather, 
+													a_stream,
+													scan_result+hit_num,
+													MAX_RESULT_NUM-hit_num,
+													&context->mid,
+													g_tsg_para.table_id[TABLE_SESSION_FLAGS],
+													context->session_flag,
+													thread_seq
+												);
+			}
+			
 			p_result=tsg_policy_decision_criteria(scan_result, hit_num);
 			if(p_result!=NULL && p_result->action!=TSG_ACTION_MONITOR)
 			{
@@ -2335,6 +2378,7 @@ extern "C" int TSG_MASTER_INIT()
 	MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "APP_IDENTIFY_RESULT_BRIDGE", g_tsg_para.bridge_name[BRIDGE_TYPE_APP_IDENTIFY_RESULT],_MAX_TABLE_NAME_LEN, "APP_IDENTIFY_RESULT_BRIDGE");
 	MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "SKETCH_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_RECV_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_CONN_SKETCH_NOTIFY_DATA");
 	MESA_load_profile_string_def(tsg_conffile, "SYSTEM", "MASTER_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_SEND_CONN_SKETCH_DATA],_MAX_TABLE_NAME_LEN, "TSG_MASTER_NOTIFY_DATA");
+	MESA_load_profile_string_def(tsg_conffile, "SESSION_FLAGS", "FLAGS_NOTIFY_BRIDGE_NAME", g_tsg_para.bridge_name[BRIDGE_TYPE_NOTIFY_FLAGS],_MAX_TABLE_NAME_LEN, "SESSION_FLAGS_SYNC_NOTIFY_DATA");
 
 	for(i=0; i<BRIDGE_TYPE_MAX; i++)
 	{
@@ -2357,6 +2401,18 @@ extern "C" int TSG_MASTER_INIT()
 		return -1;
 	}
 
+	ret=stream_bridge_register_data_sync_cb(g_tsg_para.bridge_id[BRIDGE_TYPE_NOTIFY_FLAGS], session_flags_identify_result_cb);
+	if(ret<0)
+	{		
+		MESA_handle_runtime_log(g_tsg_para.logger,
+									RLOG_LV_FATAL,
+									"APP_BRIDGE",
+									"Register callback failed, bridge_name: %d",
+									g_tsg_para.bridge_name[BRIDGE_TYPE_NOTIFY_FLAGS]
+								);	
+		return -1;
+	}
+
 	g_tsg_para.context_project_id=project_producer_register("TSG_MASTER_CONTEXT", PROJECT_VAL_TYPE_STRUCT, free_context_label);
 	if(g_tsg_para.context_project_id<0)
 	{
diff --git a/src/tsg_entry.h b/src/tsg_entry.h
index 42000a4..13b9c1d 100644
--- a/src/tsg_entry.h
+++ b/src/tsg_entry.h
@@ -95,6 +95,7 @@ enum MASTER_STATIC_TABLE{
 	TABLE_TUNNEL_CATALOG,
 	TABLE_TUNNEL_ENDPOINT,
 	TABLE_TUNNEL_LABEL,
+	TABLE_SESSION_FLAGS,
 	TABLE_MAX
 };
 
@@ -181,6 +182,7 @@ enum BRIDGE_TYPE
 	BRIDGE_TYPE_SEND_CONN_SKETCH_DATA=0,
 	BRIDGE_TYPE_RECV_CONN_SKETCH_DATA,
 	BRIDGE_TYPE_APP_IDENTIFY_RESULT,
+	BRIDGE_TYPE_NOTIFY_FLAGS,
 	BRIDGE_TYPE_MAX
 };
 
@@ -261,12 +263,13 @@ struct master_context
 	unsigned char is_dropme;
 	unsigned char deal_pkt_num;
 	unsigned char is_app_link;
-	unsigned char pad;
+	unsigned char padding;
 	unsigned short timeout;
 	tsg_protocol_t proto;
 	int hit_cnt;
 	int hited_app_id;
 	unsigned int quic_version;
+	unsigned long session_flag;
 	char *domain;
 	union
 	{
@@ -491,5 +494,6 @@ int tsg_get_ip_location(const struct streaminfo *a_stream, int table_id, MAAT_PL
 int tsg_get_ip_asn(const struct streaminfo *a_stream, int table_id, MAAT_PLUGIN_EX_DATA* client_asn, MAAT_PLUGIN_EX_DATA* server_asn);
 int tsg_get_subscribe_id(const struct streaminfo *a_stream, struct subscribe_id_info **source_subscribe_id, struct subscribe_id_info **dest_subscribe_id);
 int tsg_send_raw_packet(const struct streaminfo *a_stream, struct mirrored_vlan *vlan, int vlan_num, int thread_seq);
+int tsg_scan_session_flags(Maat_feather_t maat_feather, const struct streaminfo *a_stream, Maat_rule_t *result, int result_num,  scan_status_t *mid, int table_id, unsigned long flag, int thread_seq);
 
 #endif
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp
index 55ab44c..9ead157 100644
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -1914,6 +1914,8 @@ int tsg_rule_init(const char* conffile, void *logger)
 	MESA_load_profile_string_def(conffile, "MAAT", "TUNNEL_ENDPOINT_TABLE", g_tsg_para.table_name[TABLE_TUNNEL_ENDPOINT], _MAX_TABLE_NAME_LEN, "TSG_TUNNEL_ENDPOINT");	
 	MESA_load_profile_string_def(conffile, "MAAT", "TUNNEL_LABEL_TABLE", g_tsg_para.table_name[TABLE_TUNNEL_LABEL], _MAX_TABLE_NAME_LEN, "TSG_TUNNEL_LABEL");
 
+	MESA_load_profile_string_def(conffile, "MAAT", "SESSION_FLAG_TABLE", g_tsg_para.table_name[TABLE_SESSION_FLAGS], _MAX_TABLE_NAME_LEN, "TSG_SECURITY_FLAG");
+
 	MESA_load_profile_int_def(conffile, "MAAT","LOG_LEVEL", &log_level, 30);
 	MESA_load_profile_string_def(conffile, "MAAT", "LOG_PATH", log_path, sizeof(log_path), "./tsglog/maat/tsg_maat.log");
 	g_tsg_para.maat_logger=MESA_create_runtime_log_handle(log_path, log_level);
@@ -2868,6 +2870,29 @@ int tsg_scan_shared_policy(Maat_feather_t maat_feather, const struct streaminfo
 	return 0;
 }
 
+int tsg_scan_session_flags(Maat_feather_t maat_feather, const struct streaminfo *a_stream, Maat_rule_t *result, int result_num,  scan_status_t *mid, int table_id, unsigned long flag, int thread_seq)
+{
+	int ret=Maat_scan_flag(maat_feather, table_id, flag, result, result_num, mid, thread_seq);
+	if(ret>0)
+	{
+		MESA_handle_runtime_log(g_tsg_para.logger,
+									RLOG_LV_DEBUG,
+									"SCAN_FLAGS",
+									"Hit flag=%llu policy_id: %d service: %d action: %d addr: %s",
+									flag,
+									result[0].config_id,
+									result[0].service_id,
+									(unsigned char)result[0].action,
+									PRINTADDR(a_stream, g_tsg_para.level)
+								);
+
+		return ret;
+	}
+	
+	MESA_handle_runtime_log(g_tsg_para.logger, RLOG_LV_DEBUG, "SCAN_FLAG", "Not hit flag=%llu ret: %d stream_dir: %d addr: %s", flag, ret, a_stream->dir, PRINTADDR(a_stream, g_tsg_para.level));
+
+	return 0;
+}
 
 struct Maat_rule_t *tsg_fetch_deny_rule(Maat_rule_t *result, int result_num)
 {
diff --git a/src/tsg_send_log_internal.h b/src/tsg_send_log_internal.h
index 5bb5ab7..c9459b1 100644
--- a/src/tsg_send_log_internal.h
+++ b/src/tsg_send_log_internal.h
@@ -133,6 +133,7 @@ typedef enum _tsg_log_field_id
 	LOG_COMMON_TUNNELS_ENDPOINT_B_DESC,
 	LOG_COMMON_TRAFFIC_VSYSTEM_ID,
 	LOG_COMMON_APP_FULL_PATH,
+	LOG_COMMON_FLAGS,
 	LOG_COMMON_MAX
 }tsg_log_field_id_t;