F5 Traffic Policy - ignore action

Hi mayub,

Ignore: Applies no actions to the rule.

If the hostname is sub.domain.com, no action is running.

Note: If the policy strategy is "Execute the first matching rule", and the request matches my_rule, other rules below my_rule in the policy will not run.

Thanks, is there a way to just get it to drop packets without responding? Or do you need to use the firewall functionality for something like that?

Hi,

Thanks - I thought the reset send a reset packet back to the origin?

Late to the party, but just in case someone else needs this info.

A "Reset traffic" should sent a Reset packet back to the client forcibly closing the connection.

A point to note however is that once you are into policy processing you have already completed the 3 way TCP handshake, simply dropping the packet instead of sending a reset could cause you problems with resource starvation on your firewall and possibly f5 (depending on your network configuration, load and hardware).

This is because a stateful firewall (most modern firewalls are stateful) is actively monitoring the status of every connection, and uses onboard resources to store the connection information. When your firewall sees a reset packet it knows the connection is closed and can free up the resources for the next connection.

Without a reset the firewall will have to wait for connection timeout before closing the connection and freeing up that resource.

Dropping the packet instead of resetting the connection could make you more vulnerable to a DoS attack caused by resource starvation.

It is also possible the f5 itself would hold the connection open consuming resources if you drop at this point instead of resetting, but the f5 engineers would need to confirm because I haven't checked myself.