Forum Discussion

Nimbostratus

Apr 20, 2021

BIG IP 13.X How to prevent an answer on port scanning

Hi, Actually, I have one 2 VS. One listening on port 80 with an LTM policy to redirect the traffic on the second VS listening on port 443. I'm looking for a solution to prevent the F5 to answer...

Nacreous

Apr 20, 2021

You can attach iRule to HTTP VIP to reject the traffic coming from the scanning tool.

Using data-group

when CLIENT_ACCEPTED {
 if { [class match [IP::client_addr] equals scanner_ip] } {
     reject
       } else {
	 return  
	   }
    }

Using IP-address within the iRule

when CLIENT_ACCEPTED {
  if { [IP::addr [IP::client_addr] equals <scannerip> ] } {
     reject
       } else {
	 return  
	   }
    }

Egrebeld
Nimbostratus
Apr 22, 2021
In this case, how the F5 knows that this a legitimate request and not a port scan ?
- spalande
  Nacreous
  Apr 22, 2021
  well, you need to explicitly add IP addresses of scanning tool in the data group "scannerip" or define in the iRule itself.