Forum Discussion
AltostratusPortscan detected from f5 snatpool?
Hi Guys,
So we have a security incident in wich a portscan is detected coming from our f5 snatpool towards another specifiek machine. Is there any logging i can check to see from which machine the portscan was initiated? I am not f5 expert so bear with me please ๐
Thank you.
3 Replies
Dario_GarridoNoctilucent
Hello Zero27351.
If the connection is currently active, you could check the connections table to figure out the origin.
show sys connection ss-client-addr <SNAT_IP>
Zero27351Hi Dario,
Thanks! Ill give it a try once we see it happening again. There is otherwise no logging which i can check to figure out the origin adres?
Kr,
Zero.
- Dario_Garrido
Hello Zero27351.
There are no records for old flows, but you can create an iRule for logging those sessions and apply it to the VS. Or even better, create a Request-Logging profile.
Logging connections using High Speed Logging
https://github.com/DariuSGB/F5_iRules/blob/master/HSL_Logging.tcl
Request logging profile
https://support.f5.com/csp/article/K00847516
In both cases, I recommend you send those logs to an external device, to not affect the local system performance.
