In order to protect CoAP/DTLS Connection ID traffic state of the art, please add some simple rules to filter DTLS 1.2 Connection ID records. That could be easily done by filter on the first 3 bytes.

DTLS 1.2 header first 3 bytes "14 fe fd" (CCS, 1.2)

"15 fe fd" (Alert, 1.2)

"16 fe fd" (Handshake, 1.2)

"17 fe fd" (Application Data, 1.2)

"19 fe fd" (tls_cid, 1.2)

And DTLS 1.0 header for HelloVerifyRequest

"16 fe ff" (Handshake, 1.0)

See https://github.com/eclipse/californium/wiki/DTLS-1.2-based-firewall