It should check not only TCP but also SSL options in the rule. Can you add a feature request on https://vyos.dev/ and PR?