The tag hosts feature appears to be very powerful. However, it seems that only certain streams or connections from a certain host are tagged with triggers.
Scenario: a host within the network uses a VPN client that attempts to negotiate outbound connection via port 22 SSH in order to circumvent the filter. Untangle detects this, and tags that traffic and blocks it, or tarpits. However, it seems that the VPN client will attempt other methods such as FTP, RDP, HTTP, HTTPS, etc until it can establish a connection. Given that the VPN client will try other ways to connect, I would like the ability to tag ALL traffic from that client for a period of time, and not just the SSH traffic.
Once the source IP of the client is tagged, then I can use policy manager to put into into a Penalty-Box type group with only the firewall app installed, that blocks all internet-bound traffic. This currently works to a degree, but only with with the original tagged connections, not new connections.