Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

Can the default deny action be changed from drop to reset

Wasfi_Bounni
Cirrostratus
Cirrostratus

Hi;

 

Since the F5 LTM is a default deny device, my understanding is that the deny action is a "drop" action. Can this behaviour be changed to make the default deny action a "Reset" action?

 

Kindly

Wasfi

1 ACCEPTED SOLUTION

crodriguez
Legacy Employee
Legacy Employee

Hi, Wasfi,

 

In reading on LTM global settings, the traffic-control reject-unmatched setting is what controls this behavior. When enabled, which is the default, the system returns a TCP RESET or ICMP_UNREACH packet if no virtual servers on the system match the destination address of the incoming packet. When this option is disabled, the system silently drops the unmatched packet. You can list this setting from the TMOS Shell (TMSH) as follows:

 

(tmos)# list /ltm global-settings traffic-control reject-unmatched

 

View solution in original post

2 REPLIES 2

crodriguez
Legacy Employee
Legacy Employee

Hi, Wasfi,

 

In reading on LTM global settings, the traffic-control reject-unmatched setting is what controls this behavior. When enabled, which is the default, the system returns a TCP RESET or ICMP_UNREACH packet if no virtual servers on the system match the destination address of the incoming packet. When this option is disabled, the system silently drops the unmatched packet. You can list this setting from the TMOS Shell (TMSH) as follows:

 

(tmos)# list /ltm global-settings traffic-control reject-unmatched

 

Wasfi_Bounni
Cirrostratus
Cirrostratus

Thank you Crodriguez.