Forum Discussion

Altostratus

Apr 20, 2022

Portscan detected from f5 snatpool?

Hi Guys, So we have a security incident in wich a portscan is detected coming from our f5 snatpool towards another specifiek machine. Is there any logging i can check to see from which machine the...

devops

security

Dario_Garrido

Noctilucent

Apr 20, 2022

Hello Zero27351.

If the connection is currently active, you could check the connections table to figure out the origin.

show sys connection ss-client-addr <SNAT_IP>

Zero27351
Altostratus
Apr 20, 2022
Hi Dario,
Thanks! Ill give it a try once we see it happening again. There is otherwise no logging which i can check to figure out the origin adres?
Kr,
Zero.
- Dario_Garrido
  Noctilucent
  Apr 21, 2022
  Hello Zero27351.
  
  There are no records for old flows, but you can create an iRule for logging those sessions and apply it to the VS. Or even better, create a Request-Logging profile.
  
  Logging connections using High Speed Logging
  
  https://github.com/DariuSGB/F5_iRules/blob/master/HSL_Logging.tcl
  
  Request logging profile
  
  https://support.f5.com/csp/article/K00847516
  
  In both cases, I recommend you send those logs to an external device, to not affect the local system performance.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Portscan detected from f5 snatpool?

Jeff - May 2026 Featured F5er

AppWorld Berlin 2026 – iRules Contest Winning Results

One Quick Step to Make your website AI-Agent/MCP Ready with an iRule

Recent Discussions

certitcate error

Disk capacity on F5 rSeries

Sync error because Default logging profile and Custom profile both use local logging.

APM URL encoding Hardening?

signature in pre_inspection and client_data payload

Related Content

LLM Prompt Injection Detection & Enforcement

WS-Shield: WebSocket Abuse Detection & Adaptive Enforcement Gateway

F5 Distributed Cloud JA4 detection for enhanced performance and detection

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS