Forum Discussion
mayub
Nimbostratus
NimbostratusF5 Traffic Policy - ignore action
hi All, When configuring policies in BigIP if I set a match and then leave the action to ignore what will this do? For my policy I want to drop NOT reset the packets if the http host doe...
B_OttNimbostratus
NimbostratusLate to the party, but just in case someone else needs this info.
A "Reset traffic" should sent a Reset packet back to the client forcibly closing the connection.
A point to note however is that once you are into policy processing you have already completed the 3 way TCP handshake, simply dropping the packet instead of sending a reset could cause you problems with resource starvation on your firewall and possibly f5 (depending on your network configuration, load and hardware).
This is because a stateful firewall (most modern firewalls are stateful) is actively monitoring the status of every connection, and uses onboard resources to store the connection information. When your firewall sees a reset packet it knows the connection is closed and can free up the resources for the next connection.
Without a reset the firewall will have to wait for connection timeout before closing the connection and freeing up that resource.
Dropping the packet instead of resetting the connection could make you more vulnerable to a DoS attack caused by resource starvation.
It is also possible the f5 itself would hold the connection open consuming resources if you drop at this point instead of resetting, but the f5 engineers would need to confirm because I haven't checked myself.