Fastl4 TCP Profile Best Practice

It really depends on how you want the BigIP to handle non-SYN packets. If you have loose initialization enabled, and we get a PSH, ACK out of the blue with no connection in the connection table, we will forward that packet on.

If you disable loose initialization, that same PSH, ACK will either be dropped or reset depending on your settings (by default we should reset).

Basically if you want the BigIP to just push packets around without paying much attention to what's in them, loose initialization and loose close will do that for you. Note that you lose a lot of the functionality that makes the BigIP cool by doing this.

In general, for the forwarding-type Virtual Server (which act as mere routers), you do not need any advanced functionality. So your current configuration is better than the default settings.

It makes your BigIP transparent/non-intrusive in terms of idle timeout enforcement. It's also better from memory-use perspective. One notable drawback is that it doesn't align well with AFM module. You couldn't apply any ACL rules to this VS while retaining the stateless behavior. AFM is strictly stateful.

I don't understand the "doesn't align well with AFM module. You couldn't apply any ACL rules to this VS while retaining the stateless behavior. AFM is strictly stateful."

I have all my IP Forwarder VSs with FastL4 with these set:

loose-close enabled loose-initialization enabled

ACLs are attached to all of them. They all seem to work. Am I missing something?

running version 12.1.1