This allows the Configuration Manager to configure the system for upstream filtering at the controller, if possible, with no mixed B@AC and B@AP configuration within a role - enforced by Rule # 3.
For DPI to identify a flow, TCP packets (3- way handshake exchanges and initial payload packets) must be allowed to pass through the system. If after the traffic flow is classified and the system diverts the rest of the traffic flow to a different VLAN (and most likely to a different server), then the new server treats the packets as stray traffic. This is because the new server did not exchange a 3-way handshake with the client for the connection.
If CM detects mixed B@AC and B@AP rules in the same role, and the role has L7 filter rules, then the configuration is rejected.