Forum Discussion

Pooja_Varekar208's avatar
Pooja_Varekar208
Icon for Altocumulus rankAltocumulus
Dec 23, 2024
Solved

ports are showing open on online scanning tool

In our case F5 sited as a front facing device both the links are terminated on F5 device and incoming and outgoing traffic going through out F5 DNS

 

Incoming:  Client-->F5-->SW-->FW-->DMZ

Outgoing:  DMZ-->FW-->SW-->F5-->Client

 

We have enabled port lockdown “Allow none ” for self IP then we have concern about why this ports are showing open on online scanning tool?

Could you please confirm - Do we need to implement any additional policies to block all ports for the public IP?

 

 

Thanks,

Pooja

 

  • Hello Team,

    We have raised F5 case for this issue and F5 Internal team have found few logs and few TCP half-open (SYN cookie) vector which might be causing this issue which are related to AFM module. To isolate the issue internal has suggested to upgrade the tenant to the latest 17.1.1.4 (stability release) and F5OS to at least 1.5.2. and After upgrading the tenant to version 17.1.1.4 and F5OS to version 1.5.2, the issue has been resolved.

  • Hello Team,

    We have raised F5 case for this issue and F5 Internal team have found few logs and few TCP half-open (SYN cookie) vector which might be causing this issue which are related to AFM module. To isolate the issue internal has suggested to upgrade the tenant to the latest 17.1.1.4 (stability release) and F5OS to at least 1.5.2. and After upgrading the tenant to version 17.1.1.4 and F5OS to version 1.5.2, the issue has been resolved.

  • If ports are showing as open in an online scanning tool, it typically means that the system you're scanning (whether it's a server, network, or device) is accepting incoming connections on those ports. This could indicate potential security risks or might be necessary depending on the services you're running on the system. Here's how to handle this situation:

    Steps to Consider:

    1. Identify Open Ports and Services:
      • Review the ports that are open. Commonly open ports include 80 (HTTP), 443 (HTTPS), 22 (SSH), 21 (FTP), etc.
  • Pooja_Varekar208 Are you positive you have "Allow none" on the public facing self and floating IPs? Are you positive that you have not configured a Virtual Server (VS) with either the floating or self IP? Other than those two items for LTM you shouldn't be listening on any particular port on the public facing self or floating IP. Can you share the scan results?

    • Pooja_Varekar208's avatar
      Pooja_Varekar208
      Icon for Altocumulus rankAltocumulus

      Paulius, thanks for your reply. As you mentioned, in our scenario, one condition is met: the self IP is configured as a virtual server. To resolve this, can we change the self IP during downtime?

      • Nizar's avatar
        Nizar
        Icon for Altostratus rankAltostratus

        Hi Pooja, i still dont get it, so you mean that, you use self ip as a vip ? Or you use one segment of self ip as your vip ?