F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

mayub's avatar
mayub
Icon for Nimbostratus rankNimbostratus
Sep 20, 2019

F5 Traffic Policy - ignore action

hi All,   When configuring policies in BigIP if I set a match and then leave the action to ignore what will this do?   For my policy I want to drop NOT reset the packets if the http host doe...
application delivery
BIG-IP
LTM
traffic policy
B_Ott's avatar
B_Ott
Icon for Nimbostratus rankNimbostratus
Jan 21, 2020

Late to the party, but just in case someone else needs this info.

A "Reset traffic" should sent a Reset packet back to the client forcibly closing the connection.

A point to note however is that once you are into policy processing you have already completed the 3 way TCP handshake, simply dropping the packet instead of sending a reset could cause you problems with resource starvation on your firewall and possibly f5 (depending on your network configuration, load and hardware).

 

This is because a stateful firewall (most modern firewalls are stateful) is actively monitoring the status of every connection, and uses onboard resources to store the connection information. When your firewall sees a reset packet it knows the connection is closed and can free up the resources for the next connection.

Without a reset the firewall will have to wait for connection timeout before closing the connection and freeing up that resource.

 

Dropping the packet instead of resetting the connection could make you more vulnerable to a DoS attack caused by resource starvation.

It is also possible the f5 itself would hold the connection open consuming resources if you drop at this point instead of resetting, but the f5 engineers would need to confirm because I haven't checked myself.