It looks like this Microsoft patent filing from earlier this year might tell you what you want to know.

From what I can gather, this flag allows firewall rules to apply to traffic that has been encapsulated by, for example, an IPv6 to IPv4 tunnel originating outside the border of the network. As patents often are, this one is written in such a generic manner as to apply to any different type of tunneling protocol, from what I can tell.

The payload of this encapsulated traffic would be opaque to the any firewall at the network on the other end of the tunnel. Presumably, these encapsulated packets would be passed through unfiltered to the internal host where the other end of the tunnel terminated. That host would receive the traffic, pass it through its own firewall, decapsulate the traffic (if allowed by its own firewall), and pass the decapsulated packets back its firewall. When the packet travels thru the firewall the second time (after decapsulation), it has an “this packet traversed the network edge” bit set such that only rules with the “edge traversal” bit also set will apply to the packet.

Figure 4 of that patent application appears to describe the process graphically, and the “Detailed Descriptions” section beginning on page 7 describes the process in painfully specific detail.

This basically permits a host-based firewall to have different rules for traffic that came in via a tunnel thru the local network’s firewall, as opposed to traffic that was just sent unencapsulated by a tunnel directly through the local network’s firewall.

I wonder if the iptables “mark” functionality would be prior art to this patent? It certainly seems like it does a very similiar thing, albeit in an even more generic fashion (since you can write user-land code to “mark” packets for virtually any reason if you want to ).

Source: vpn – Windows Advanced Firewall: What does “Edge Traversal” mean? – Server Fault