cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.

Can the default deny action be changed from drop to reset

Wasfi_Bounni
Cirrostratus
Cirrostratus

Hi;

 

Since the F5 LTM is a default deny device, my understanding is that the deny action is a "drop" action. Can this behaviour be changed to make the default deny action a "Reset" action?

 

Kindly

Wasfi

1 ACCEPTED SOLUTION

crodriguez
F5 Employee
F5 Employee

Hi, Wasfi,

 

In reading on LTM global settings, the traffic-control reject-unmatched setting is what controls this behavior. When enabled, which is the default, the system returns a TCP RESET or ICMP_UNREACH packet if no virtual servers on the system match the destination address of the incoming packet. When this option is disabled, the system silently drops the unmatched packet. You can list this setting from the TMOS Shell (TMSH) as follows:

 

(tmos)# list /ltm global-settings traffic-control reject-unmatched

 

View solution in original post

2 REPLIES 2

crodriguez
F5 Employee
F5 Employee

Hi, Wasfi,

 

In reading on LTM global settings, the traffic-control reject-unmatched setting is what controls this behavior. When enabled, which is the default, the system returns a TCP RESET or ICMP_UNREACH packet if no virtual servers on the system match the destination address of the incoming packet. When this option is disabled, the system silently drops the unmatched packet. You can list this setting from the TMOS Shell (TMSH) as follows:

 

(tmos)# list /ltm global-settings traffic-control reject-unmatched

 

Wasfi_Bounni
Cirrostratus
Cirrostratus

Thank you Crodriguez.