Manual Chapter : Managing Eviction Policies

Applies To:

Show Versions Show Versions

BIG-IQ Centralized Management

  • 5.4.0
Manual Chapter

Eviction policy overview

An eviction policy provides the BIG-IP® device with guidelines for how aggressively it discards flows from the flow table. You can customize the eviction policy to prevent flow table attacks, where a large number of slow flows are used to negatively impact system resources. You can also set the way that the system responds to such flow problems in an eviction policy, and attach such eviction policies globally, to route domains, and to virtual servers, to protect the system, applications, and network segments with a high level of customization.
Note: For more information on how BIG-IP devices use eviction policies, refer to the BIG-IP system reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP AFM module and the software version you have installed; then select the appropriate guide. For example, information about the eviction policy parameters for BIG-IP version 13.0 is provided in the BIG-IP Network Firewall: Policies and Implementations, Version 13.0 guide in the Preventing Attacks with Eviction Policies and Connection Limits chapter.

Create a new eviction policy

You can create a new eviction policy that provides guidelines to determine how aggressively your BIG-IP® devices discard flows from the flow table.

  1. At the top of the screen, click Configuration, and then, on the left, click LOCAL TRAFFIC > Eviction Policies .
    The Eviction Policies screen displays a list of the eviction policies that are defined on this device.
  2. Click Create.
    The New Eviction Policy screen opens, so that you can specify settings for a new policy.
  3. In the Name field, type in a name for the eviction policy you are creating.
  4. Specify the additional settings needed for this eviction policy.
    Name is the only required parameter when you specify a new eviction policy. The remaining parameters on this screen are optional and perform the same function as they do when you configure an eviction policy on a BIG-IP® device.
    Note: For details about the purpose or function of a particular setting, refer to the BIG-IP system reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP AFM module and the software version you have installed; then select the appropriate guide. For example, information about the eviction policy parameters for BIG-IP version 13.0 is provided in the BIG-IP Network Firewall: Policies and Implementations, Version 13.0 guide in the Preventing Attacks with Eviction Policies and Connection Limits chapter.
  5. Click Save & Close.

Manage eviction policies and general settings

You can use the BIG-IQ® to manage the settings for an existing policy and apply eviction policies to any managed device. Eviction policies establish guidelines for how aggressively a BIG-IP® device discards flows from the flow table.

  1. At the top of the screen, click Configuration, and then, on the left, click LOCAL TRAFFIC > General Settings .
    The General Settings screen displays a list of the devices that are managed by this device.
  2. Under Device, select the name of the device for which you want to manage eviction policies or general settings.
    The properties screen opens, so that you can specify the policy or general settings you want.
  3. For the Eviction Policy setting, select the policy you want to use for this device.
  4. If this device is running version BIG-IP 13.0.0 or later, you can revise the settings for SYN check threshold and SYN Cookie protection.
    Note: For details about the purpose or function of a particular setting, refer to the BIG-IP system reference information on support.f5.com. From the BIG-IP Knowledge Center, select the BIG-IP AFM module and the software version you have installed; then select the appropriate guide. For example, information about the SYN check and SYN threshold parameters for BIG-IP version 13.0 is provided in the BIG-IP Systems: Protecting against SYN Flood Attacks, Version 13.0 guide.
  5. Click Save & Close.