Deny - Drop - Reject
I'm still looking for a solution to a long lasting problem.
We want internal hosts to get immediately be notified if a connection attempt to the outer world is being blocked to avoid timeout problems.
For this we have a "TCP" rule with action "Denied (send reset)" at the end of the rule set ("Auto-Order Mode" disabled).
We can see from "Traffic Monitor" that the rule hits, however there is still a delay of about 15 seconds until the client recognizes that the connection is denied.
This can easily be verified by using telnet and opening a "blocked" port on an internet host.
Doing the same with an internal server on the same network segment with a port no service is listening on, we get an immediate response. Same works with no delay if using IP-tables on a Linux box.
How can we get this behaviour and what is the reason for the delay when doing this with a Firebox?
Thanks for your suggestions.