How to trigger an alert when a specific number of connections are attempted to VIP on a port that isn't provisioned.

> Does this log entry reflect the "client" address as well as the VIP/port that the connection was attempting?

No - tm.maxrejectrate is a global limit across all tmms. If HTSplit is enabled, tm.maxrejectrate is doubled.

K13151: Configuring the rate at which the BIG-IP system issues TCP RSTs or ICMP unreachable packets

> Note: Due to way the HTSplit feature dedicates and prioritizes resources when enabled, the value configured for the tm.maxrejectrate key is doubled on platforms with Hyper-Threading (HT) Technology. If the value of the tm.maxrejectrate key is set to 250, log messages indicate responses are limited to 500 packets/sec.

> We currently have a VIP that answers on all ports but are working to restrict to specific ports, but would like to be have evidence or alerts if a port scan or DDOS event is occurring.

You would need an irule that records requests to non-active ports and places the source IP and scanned ports into a subtable, to track whether that IP is probing multiple ports within a specified time period.

Or use AFM, which almost certainly has the requisite DoS/DDoS functionality, as well as port access lists for restricting access and logging rules if required.