2. SYN Cookie: Operation

When SYN cookie is activated, regardless the type of the virtual server, BIG-IP needs to work in a full proxy mode for the initial TCP 3WHS with client in order to confirm that it is not an attacker. This means that BIG-IP will first handle SYN Cookie TCP handshake with client, and once BIG-IP confirms client is legitimate it will start a second TCP 3WHS with the server.

SYN Cookie works in the same way for Standard or FastL4 virtual server, so it can work with FastL4 virtual servers as well. If this is the case BIG-IP modifies traditional FastL4 behaviour by disallowing direct initial TCP 3WHS negotiation between client and server, instead it will work as a typical Standard virtual server, but only for the initial TCP 3WHS.

Note that FasL4 profile goal is accelerating the connection traffic between client and server (not for accelerating TCP 3WHS) by offloading eligible flows to the ePVA chip for acceleration. So once client is confirmed as legitiate then rest of the traffic for the connection will behaves as expected for a FastL4 virtual server.