Portscan detected from f5 snatpool?

Question

Hi Guys,So we have a security incident in wich a portscan is detected coming from our f5 snatpool towards another specifiek machine. Is there any logging i can check to see from which machine the portscan was initiated? I am not f5 expert so bear with me please 🙂Thank you.

dario_garrido · Answer

Hello Zero27351.
If the connection is currently active, you could check the connections table to figure out the origin.
show sys connection ss-client-addr &lt;SNAT_IP&gt;
&nbsp;

zero27351 · Answer

Hi Dario,Thanks! Ill give it a try once we see it happening again. There is otherwise no logging which i can check to figure out the origin adres?Kr,Zero.

dario_garrido · Answer

Hello Zero27351.
There are no records for old flows, but you can create an iRule for logging those sessions and apply it to the VS. Or even better, create a Request-Logging profile.
Logging connections using High Speed Logging
https://github.com/DariuSGB/F5_iRules/blob/master/HSL_Logging.tcl
Request logging profile
https://support.f5.com/csp/article/K00847516
In both cases, I recommend you send those logs to an external device, to not affect the local system performance.
&nbsp;

Forum Discussion

Portscan detected from f5 snatpool?

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

JA4 Part 2: Detecting and Mitigating Based on Dynamic JA4 Reputation

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

Operationlizing Online Fraud Detection, Prevention, and Response

Detect and stop exfiltration attempts with F5 Distributed Cloud App Infrastructure Protection

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS