Usecase for Reject Virtual server?

Fab Kevin! Thanks for sharing!

Much much appreciated all!

If I may add, the LTM is a default deny device. You don't need an all-inclusive filter rule applied to say "reject if not matching an allowed IP", because that already exists in the absence of anything at all. If you don't actively create a listener - a virtual server or NAT - then the LTM won't respond to any requests. The TM.RejectUnmatched option is interesting in that it allows you to choose how packets are rejected. Set to true and LTM sends a RST. Set to false and LTM drops the request packet. In either case the request is denied.

Makes complete sense,

Thank you Patrik!

One scenario I could think of is when placing the LTM in front of, or replacing the LTM with the external firewall. The default setting for firewalls is to drop packets not matching a rule (uses less performance and makes it a bit harder to people looking for targets on the web) whereas the LTM would answer with a reject on all unmatched packets (all IP's, all ports). To simulate the firewall behaviour you can then set the RejectUnmatched to false.

/Patrik

Thank you Patrik,

However your answer lead me to think to another question, in which case we can have TM.RejectUnmatched to false? Any useful case to set this to false?

Thank you once again!

Darshan

If the BigDB variable TM.RejectUnmatched is set to false (can be useful if the ltm is directly connected to the internet) and the administrator wants to reject packets for specific IPs or networks it could also be useful.

/Patrik

Nice one Nathan,

Thanks you for this example. Anyone can think about anything else?

Regards,

Darshan

Darshan,

I've never come across in the wild. My only thought is if you had a network standard virtual server but within that range their was 1 address you wanted to deny you could setup a reject VS as this would take precedence over the network VS.

N