F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Egrebeld's avatar
Egrebeld
Icon for Nimbostratus rankNimbostratus
Apr 20, 2021

BIG IP 13.X How to prevent an answer on port scanning

Hi,   Actually, I have one 2 VS. One listening on port 80 with an LTM policy to redirect the traffic on the second VS listening on port 443. I'm looking for a solution to prevent the F5 to answer...
BIG-IP
LTM
security
spalande's avatar
spalande
Icon for Nacreous rankNacreous
Apr 20, 2021

You can attach iRule to HTTP VIP to reject the traffic coming from the scanning tool.

Using data-group

when CLIENT_ACCEPTED {
 if { [class match [IP::client_addr] equals scanner_ip] } {
     reject
       } else {
	 return  
	   }
    }

Using IP-address within the iRule

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals <scannerip> ] } {
     reject
       } else {
	 return  
	   }
    }
  • Egrebeld's avatar
    Egrebeld
    Icon for Nimbostratus rankNimbostratus
    Apr 22, 2021

    In this case, how the F5 knows that this a legitimate request and not a port scan ?

    • spalande's avatar
      spalande
      Icon for Nacreous rankNacreous
      Apr 22, 2021

      well, you need to explicitly add IP addresses of scanning tool in the data group "scannerip" or define in the iRule itself.