Forum Discussion

Koalan's avatar
Icon for Cirrus rankCirrus
Jan 16, 2020

Disable HTTP OPTIONS method and Disable TCP Timestamp responses



So we run a penetration testing and we found 2 of our VIPs affected by these:


a. Disable HTTP OPTIONS method

b. Disable TCP Timestamp responses


Is there a way to remediate this? I tried looking in the internet but:


a. Disable HTTP OPTIONS method - i only see to change it globally on the F5 (probably will affect other VIP), is there another way?

b. Disable TCP Timestamp responses - I can't seem to find a proper way to address this, is there a way?


Hoping for help. Thanks!

4 Replies

  • a. Like what iaine mentioned, you can use the known methods setting in the HTTP profile to reject/reset the connection. Alternatively you can use an iRule to either reject or return a HTTP 501 response. For more information, refer to Also if you have ASM module licensed and provisioned, the ASM security policy would block OPTIONS method by default.


    b. There is a potential performance tradeoff when TCP Timestamp is disabled in either the TCP profile (Timestamps Extension for High Performance (RFC 1323) setting) or the FastL4 profile (TCP Timestamp Mode setting). You may want to consider randomising the TCP Timestamp instead by enabling this db key tm.tcpsendrandomtimestamp. For more details, you may want to take a look at


    • Hamza's avatar
      Icon for Cirrus rankCirrus

      hello FF,

      please Could you tell me the correct choice to diable tcp timestamp in fastl4 profile because we have three choices:


  • Hi


    You can disable HTTP OPTIONS in the HTTP profile in the known methods section. If you want to only disable it for a single VIP then create a new HTTP profile, make the required change and then associate it to your VIP


    For TCP Timestamps. Again, if you want to disable, this is in the TCP Profile in the Congestion Control section. Create a new TCP profile, make your change and then associate it to your VIP